ICANN: Anycast saved DNS root servers during attack

ICANN: Anycast saved DNS root servers during attack

Summary: The two DNS root servers "badly affected" by last month's intense denial-of-service attack were the only two targeted that have not yet installed the Anycast load balancing technology, according to a report (.pdf) released by ICANN.

The two DNS root servers "badly affected" by last month's intense denial-of-service attack were the only two targeted that have not yet installed the Anycast load balancing technology, according to a report (.pdf) released by ICANN.

During the cross-continent attack, which lasted for about two-and-a-half hours on February 6, unknown attackers used hijacked computers in the Asia-Pacific region to bombard six of the 13 root servers with data measuring a whopping 1Gb per second but, because the targets were using the Anycast technology, end users were not affected.

(NOTE: Data measuring 1Gb per second is roughly equivalent to receiving 13,000 e-mails every second, or over 1.5 million e-mails in just two minutes).

AnycastAnycast is a network addressing and routing scheme that allows data packets to is routed to the nearest or best destination. During the attacks, ICANN said it worked as a perfect foil and highlighted the need for all the roots not using the technology -- D, E, G, H and L -- to move over soon.

The report is disappointingly sparse on details of the origins or tactics used by the attackers. ICANN confirmed suspicions that zombie machines in South Korea formed the botnet that launched the attack but warned that this is mostly "educated guesswork."

"It could just as easily have come from a number of different countries at the same time. It is even possible that the attack originated from outside the region and many of the Internet addresses that the attack appeared to come from had in fact been "spoofed" or faked, ICANN said. "In fact, engineers are fairly sure that it did come from Asia-Pacific, but even so this does not mean that whoever was behind the attack is based in Asia-Pacific because they could just as easily triggered it from anywhere on the network, i.e., anywhere in the world."

South Korean authorities are already on record as saying that the attack commands were sent from a host server in Coburg, Germany.

Some highlights from the ICANN report:

  • At least six root servers were attacked but only two of them were noticeably affected: the "g-root", which is run by the U.S. Department of Defense and is physically based in Ohio, and the "l-root" run by ICANN.
  • The reason why these two were particularly badly affected was because they are the only root servers attacked that have yet to install Anycast (a further three root servers without Anycast were not attacked this time).
  • The fact that all the root servers have not moved to Anycast was a conscious decision to avoid a single point of failure. There were some concerns that there might be a security risk in allowing a lot of different servers to appear as if they were coming from the same place. And so just a few root servers tried the system first, tested it thoroughly and ironed out any bugs before the next set moved over.
  • The operators of the servers that were hit by the attack were aware of it almost instantaneously. Because of the way the attack worked (where a command is given at the same time to a large number of computers to send data to the same place), it arrived like a brick wall, which immediately set off all the alarms built into the networks.
  • One possible explanation for the root server attacks is to act as an advertisement for a particular botnet.

Topics: Servers, Networking, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What is the logic?

    of attacking the DNS root servers with a DDOS? I can sort of understand attacking say a bank server if they shafted you with overdraft fees, or such. But attacking the heart of the internet? Seems to mee that'd also hurt the attacker as well as the internet.

    Maybe that's why I don't get it. I don't think like a crimminal.

    - Kc
    • Unless...

      You're a government testing out your cyber warfare capabilities. Bogging down the internet while you have your own backup network would be a good first strike capability. Coupled with an attack on a something like a country's satellites, it could put many countries in the dark information wise.

      You're right though, it wouldn't make much sense for a criminal to cripple the internet (unless being paid by a government to do so).
      • Or...

        Or, as the report speculated, it's just an advertisement for the power of a for-rent botnet.

        Ryan Naraine
        • Maybe, but

          You're also advertising yourself to the people who would want to take your botnet down. And you would be advertising that discretion is not something you're good at, one of my first priorities when shopping for a criminal to help me out.

          If the people defending the DNS servers are having a hard time saying who did it, then I can't imagine that it would be easy for someone interested in using this botnet to track down the operator of it.

          This has the characteristics of a probe attack. Come from nowhere, test your own capabilities, see the reaction, and then disappear before you expose yourself....
  • Root DNS servers still testing?

    Why are they still testing anycast? The root nameserver F, operated by ISC, has been running anycast since late 2002.

    Yes, prudence would dictate taking your time to roll it out - especially when talking of the nerve center of the Internet, but at this rate, it will still take a couple years to deploy it to the last of the unicast-only root servers.

    Have there been problems during the conversion? After all, anycast would only be used for UDP client requests, and management, zone transfers and such, using secure connections or not, would use standard unicast addresses. Are there problems with IPv6 anycast that aren't well known that could explain the slow rollout?
  • So "cyberterrorism" doesn't work, eh?

    So, with large companies that are vital to the Internet infrastructure moving to technologies like this, it seems that DDoS and "cyberterrorist" attacks are largely becoming ineffective.