The first large-scale failure of the national domain name resolution mysterious IP address caused by the suspicion of hackers

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Sina Science and Technology Nan

January 21 3 o'clock in the afternoon, more than 10 alarm mail, let Cobo surprised out in a cold sweat.

Cobo is one of the top ten Web site operators in the domestic traffic, he and his regiment 24-hour team to maintain this day browsing the amount of billions of websites. More than 10 alarm messages, which means that users in more than 10 provinces across the country are unable to access the site.

"What's wrong with the core room?" Cobo whispered silently, and hurried out of a meeting, trotting upstairs, back to the work Hall of the Department of Transport and maintenance. The landline on his desk was ringing. "I am the Customer service department XX, has the Zhejiang user to reflect our homepage not to go ..." " Got it. ”

Cobo immediately hung up the phone and shouted to his colleagues on duty, "What's going on?" Beijing Shanghai Computer Room and CDN (network acceleration) feedback is normal, ping the next domain name, IP address pointing to the wrong, may be the problem of DNS. The duty colleague answered him.

"Don't check it, it's not our business, all of the. com domain names have problems with DNS. "The other colleague who is brushing the microblog told Cobo," You see Dnspod Weibo, saying that the root of all the common top-level domains in China is abnormal and is being coordinated with relevant agencies. ”

Dnspod is the country's largest DNS resolution service provider and domain name custodian, managing over 2.7 million domain names. Cobo pushed the glasses, together with the past carefully stared at the microblog, said "don't careless, and then to the computer room to check." ”

Almost at the same time, China's largest data center in Beijing, one of the head of the computer room Shuo is also highly nervous. When he connected Sina technology phone, his back of the landline bell sound. "Yes, we've already monitored the problem, and a lot of the websites have fed back to us, and we're meeting to study the deal." He hung up the phone hurriedly.

"The user scolded us on Weibo. Cobo's colleague told him. He smiled at Sina Technology, said, "We can do nothing, is the whole network of systemic problems, only to tell users to visit us directly with the IP address." ”

What happened to the malfunction?

"All devices connected to the Internet must have an IP address, just like every house has an address, so that others can find it," he said. Cobo began to explain to Sina technology. "This IP address is a number, such as 120.84.21.23, but users on the Internet to remember this number, too cumbersome, so have a domain name." ”

Domain name is another embodiment of IP address, and DNS is the translation of domain names into IP addresses. For example, when a user enters a facebook.com in a browser, the browser asks the user's nearest DNS server, "What is the facebook.com IP address?"

This recent DNS server is typically a server for local telecommunications operators. If this server does not know, he will be up to the level of request, typically the operator's national DNS server. If this national DNS is not yet known, it will query the global DNS server.

At this level, the highest level is the global 13 root servers, named "A" to "M", of which 10 are located in the United States, each with one set in the UK, Sweden and Japan.

In order to prevent the above server failure caused by global access anomaly, now many countries in the world have a mirror. Our country in the entire network of exports also has a top-level domain name server. "The exception to this network is a parse error on this server. Cobo explained.

Why some people are normal, some people abnormal?

This is because in order to speed up user access, the entire system has a multi-level cache, including browser caching, system caching, router caching, DNS server caching, and so on.

When a user visits a website, its browser will automatically record the corresponding IP for a certain period of time, so that users enter the site the second time, the browser does not have to go up a level of repeated inquiries, directly can inform the user results. Similarly, the user's computer, router and DNS server will be set up a certain cache, of course, the cache has a time limit, the expiration of the server to query the latest record.

When a top-level root domain server fails, the user's access is not immediately interrupted because all levels of caching are still present. When the cache time is up, they requery at a higher level, when the root server's error feedback takes effect, causing the user to access the exception. However, this caching time, due to different settings, the difference is very large. Some cache time is only 30 seconds, some cache time up to 12 hours.

As of 4 o'clock in the afternoon, the national root server of the analysis gradually returned to normal. Similarly, a user with an exception will not return to normal immediately because the wrong record is still in the cache, and the maximum may need to wait 24 hours, and the correct record will not take effect until the cache expires.

For a large web site, the content is generally not all placed under the same domain name. For example, pictures, databases generally take a different domain name, when some domain name cache is correct, some domain name cache error, will appear page load out, and the picture does not come out, or picture out, text data disorder.

Mystery IP address causes hacker doubts

As the breakdown resumes, the Shuo of the data center also breathed a sigh of relief. He told Sina technology, said that the cause of the accident is the root domain server is contaminated, domain name resolution requests are pointed to the "65.49.2.178" This IP address.

However, according to Shuo testing of multiple domain names, Facebook, Twitter and other foreign domain name analysis is normal, but the domestic domain name is contaminated. Even so, the scope of the impact is unprecedented, including Baidu, Sina, Tencent, the vast majority of the domestic web sites have access to the exception, root domain server failures lasted nearly 1 hours.

According to a rough estimate, more than 200 million per cent of the affected domestic users were affected, averaging about 3 hours. As of 21st Evening 1 Oh point, the country still has more than 10 areas affected by the DNS valuation, including Guizhou Telecom, Henan Telecom, Hong Kong New World, Jiangsu Telecom, Beijing Telecom and so on.

Domestic vulnerability reporting platform "dark clouds," said 65.49.2.178, the IP is located abroad, there is evidence that the IP in the network has sent spam and other politically targeted hacking activities, do not rule out the attack for hackers.

A security expert at Jinshan said that the IP was found in 65.49.2.178, North Carolina, USA, after querying for information on the Marvell company. "A large number of well-known IT companies in China's domain name is resolved to a U.S. company, from the current point of view that the incident is most likely a hacker attack." "The expert said.

In the early hours of August 25 this year, China. CN Domain Resolution occurred large-scale resolution failure. China Internet Network Information Center later revealed that the day 0 o'clock, the country's domain name resolution node was denied service attacks, after disposal, to 2 o'clock allow the server to return to normal, this is the history of. cn domain name suffered the largest denial of service attacks.

However, Shuo and another network security experts agree that the impact of the DNS pollution incident, the scope of the largest in the country is still the first, far beyond the scope of the general Hacker's ability. "is likely to be related to the setting adjustment of the backbone network. The network security expert said.