ISC/UMD/Cogent Paul Vixie, ISC
OCTOBER21.TXT Gerry Sneeringer, UMD
November 24, 2002 Mark Schleifer, Cogent
Events of 21-Oct-2002
Abstract
On October 21, 2002, the Internet Domain Name System’s root name
servers sustained a denial of service attack. This report explains
the nature and impact of the attack, based on previously and
publically available information.
1 – Nature of Attack
1.1. A coordinated DDoS (distributed denial of service) attack was
launched at approximately 2045UTC and lasted until approximately
2200UTC. All thirteen (13) DNS root name servers were targeted
simultaneously.
1.2. Attack volume was approximately 50 to 100 Mbits/sec (100 to 200
Kpkts/sec) per root name server, yielding a total attack volume was
approximately 900 Mbits/sec (1.8 Mpkts/sec).
1.3. Attack traffic contained ICMP, TCP SYN, fragmented TCP, and UDP.
1.4. Attack source addresses were mostly randomized, chosen within
netblocks which were mostly present in the routing table at the time of
the attack.
2 – Impact of Attack
2.1. Some root name servers were unreachable from many parts of the
global Internet due to congestion from the attack traffic delivered
upstream/nearby. While all servers continued to answer all queries they
received (due to successful overprovisioning of host resources), many
valid queries were unable to reach some root name servers due to attack-
related congestion effects, and thus went unanswered.
2.2. Several root name servers were reachable by inside-metro queries
but not from outside-metro, due to attack-related congestion on wide
area links connecting that metro to other parts of the world wide
Internet.
ISC/UMD/Cogent Event Report [Page 1]
OCTOBER21.TXT Events of 21-Oct-2002 November 27, 2002
2.3. Several root name servers were continuously reachable from
virtually all monitoring stations for the entire duration of the attack,
due to successful overprovisioned at the network level (through a
combination of multiple locations, fat pipes, hardware switched load
balancing, and high path splay).
2.4. There are no known reports of end-user visible error conditions
during, and as a result of, this attack. Because the DNS protocol is
designed to cope with partial reachability among a set of name servers,
there may have been a minor delay (on the order of several seconds) for
some name lookups. This would have manifested itself as a barely
perceptible initial delay in some web browsers or other client programs
(such as “ftp” or “ssh”).
2.5. Wide scale visibility of this attack came about only as a result of
health monitoring projects around the Internet, usually in the form of
“strip chart” graphics showing response time variance of a periodic,
simple query against some set of servers, including root name servers.
3 – Analysis
3.1. This attack was unusual in that it was synchronized to take place
against all thirteen (13) root name servers simultaneously. Other types
of attacks, against only one server at a time, are more common.
3.2. The system functioned as designed, demonstrating overall robustness
in the face of a concerted, synchronized attack against all thirteen
(13) root servers.
3.3. Due to the fact that IP source addresses are trivial to forge,
there is little correlation between the apparent source of an attack and
the actual source of an attack. Therefore, tracking this attack back to
its source will be a challenge. In any case its source (if typical for
DDoS attacks) will be a large number of “drones”, each sending only a
small amount of traffic, using randomized source addresses within mostly
valid netblocks.
3.4. While the root server system is continuously upgraded even in
normal times, and is massively overprovisioned to make it robust against
attacks or network failures, the 21-Oct-2002 attack has given cause for
faster than normal upgrades, including increased peering and transit
connectivity, and wide area server mirroring in order to collect attack
flows in diverse locations and prevent an attack from concentrating on
small numbers of network congestion points.
ISC/UMD/Cogent Event Report [Page 2]
OCTOBER21.TXT Events of 21-Oct-2002 November 27, 2002
4 – Authors’ Addresses
Paul Vixie
Internet Software Consortium
950 Charter Street
Redwood City, CA 94063
+1.650.779.7001
<vixie@isc.org>
Gerry Sneeringer
University of Maryland
Office of Information Technology
College Park, MD 20742
+1.301.405.3003
<sneeri@umd.edu>
Mark Schleifer
Cogent Communications
1015 31st St, NW
Washington, DC 20007
+1.202.295.4200
<MSchleifer@Cogentco.com>
ISC/UMD/Cogent Event Report [Page 3]
This website uses IntenseDebate comments, but they are not currently loaded because either your browser doesn't support JavaScript, or they didn't load fast enough.