{"id":4978,"date":"2015-12-22T14:59:48","date_gmt":"2015-12-22T14:59:48","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=4978"},"modified":"2020-02-27T04:00:30","modified_gmt":"2020-02-26T17:00:30","slug":"root-servers-ddos","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/root-servers-ddos\/4978\/","title":{"rendered":"Root DNS servers DDoS&#8217;ed: was it a show-off?"},"content":{"rendered":"<p>DDoS attacks are a formidable (and somewhat regular) problem for businesses, but occasionally they appear to be a threat for the entirety of Web. On Nov. 30 and Dec. 1, somebody launched <a href=\"https:\/\/threatpost.com\/internet-root-name-servers-survive-unusual-ddos-attack\/115614\/\" target=\"_blank\" rel=\"noopener nofollow\">a massive and unusual DDoS attack<\/a> which hit the internet root servers responsible for resolving IP addresses. Apparently, it was a case of vandalism, or even borderline terrorism, but fortunately the impact of the attack upon the root servers was minimal, thanks to the DNS architecture.<\/p>\n<p>In its advisory, the Internet Assigned Numbers Authority (IANA) said the effect was \u201climited to potentially minor delays for some name lookups when a recursive name server needs to query a DNS root name server (e.g. a cache miss)\u201d.<\/p>\n<p>Attackers used quite an unusual method of attacking. The amplified queries were sent to most of the DNS root name server letters, and the source addresses were \u201crandomized and distributed,\u201d IANA said. But, according to advisory, the source addresses were \u201cwidely and evenly distributed\u201d, while the query name was not.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>A #DDoS-attack\u00a0against the Root DNS servers: was it a show-off?<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fbc8c&amp;text=A+%23DDoS-attack%C2%A0against+the+Root+DNS+servers%3A+was+it+a+show-off%3F\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>As Threatpost has it, many more traditional DNS amplification attacks take advantage of the availability of publicly accessible and open DNS servers, spoofing the source address with the target\u2019s address so responses overwhelm the this address.<\/p>\n<p>In this particular case, DNS root name servers which use IP anycast (a one-to-many network routing) were seeing traffic at significant volumes \u2013 The observed traffic volume was up to approximately 5 million queries per second, per DNS root name server letter receiving the traffic. Quite a lot, should we say.\u00a0But, fortunately, not nearly enough to crash down the DNS.<\/p>\n<p>The organization recommends the use of source address validation and BCP-38 to lessen the ability of attackers to use spoofed packets to their advantage.<\/p>\n<p>The full advisory is available <a href=\"http:\/\/root-servers.org\/news\/events-of-20151130.txt\" target=\"_blank\" rel=\"noopener nofollow\">here<\/a>.<\/p>\n<p>It is a matter of speculation who could have launched this attack and why they did it. IANA said it\u2019s unrealistic to identify the real source of the attack, due to the fact IP source addresses can be easily spoofed, and because event traffic landed at large numbers of anycast sites.<\/p>\n<p>Yet another potent DDoS attack has recently hit\u00a0the academic computer network known as Janet in a \u201ctargeted and sustained set of attacks,\u201d <a href=\"http:\/\/www.techweekeurope.co.uk\/security\/cyberwar\/ddos-attack-dns-servers-182095\" target=\"_blank\" rel=\"noopener nofollow\">according to the network\u2019s operator Jisc<\/a>.<\/p>\n<p>The attack has reportedly left university students across the UK unable to submit work, which may serve as a hint on the reasons behind the attack (if not its origin).<\/p>\n<p>But the first attack seems to make much less sense. We can only assume somebody was testing a novel type of attack \u2013 or just showing off. Anyway, an attack of this scope may be a mosquito bite for the World Wide Web\u2019s root servers, but for a single company network it is like getting hit with a freight train.<\/p>\n<blockquote class=\"twitter-pullquote\"><p>Fortunately impact on Root servers was minimal. But imagine such an attack hitting a company network? #DDoS<\/p><a href=\"https:\/\/twitter.com\/share?url=https%3A%2F%2Fkas.pr%2Fbc8c&amp;text=Fortunately+impact+on+Root+servers+was+minimal.+But+imagine+such+an+attack+hitting+a+company+network%3F+%23DDoS\" class=\"btn btn-twhite\" data-lang=\"en\" data-count=\"0\" target=\"_blank\" rel=\"noopener nofollow\">Tweet<\/a><\/blockquote>\n<p>Unless there are protective measures in place, such as Kaspersky DDoS Protection solution.<\/p>\n<p>Kaspersky DDoS Protection fights attacks on two fronts: via DDoS intelligence and Kaspersky\u2019s special defense infrastructure. The security intelligence team uses sophisticated methods to monitor the DDoS threat landscape to stay ahead of the criminals \u2013 to achieve the earliest possible detection of DDoS attacks.<\/p>\n<p>In addition, Kaspersky Lab\u2019s solution uses a combination of on-site &amp; off-site technologies to protect your business.<\/p>\n<p>The more detailed description of the solution is available at this <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/ddos-protection\" target=\"_blank\" rel=\"noopener nofollow\">link<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>DDoS attacks are a formidable (and somewhat regular) problem for businesses, but occasionally they appear to be a threat for the entirety of Web. On Nov. 30 and Dec. 1,<\/p>\n","protected":false},"author":209,"featured_media":15495,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,2994],"tags":[1058,2373,1905],"class_list":{"0":"post-4978","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-ddos","10":"tag-ddos-protection","11":"tag-dns"},"hreflang":[{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/root-servers-ddos\/4978\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/root-servers-ddos\/4978\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/root-servers-ddos\/4978\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com.au\/blog\/tag\/ddos\/","name":"ddos"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/4978","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/users\/209"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/comments?post=4978"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/4978\/revisions"}],"predecessor-version":[{"id":26805,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/posts\/4978\/revisions\/26805"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media\/15495"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/media?parent=4978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/categories?post=4978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com.au\/blog\/wp-json\/wp\/v2\/tags?post=4978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}