Mystery attackers bombard servers at the internet's core

A junk traffic attack recently rattled the critical internet infrastructure that supports the world's top-level domains and which is mostly operated by the US and Europe.

screen-shot-2015-12-09-at-10-59-18.png

Queries per day to the A-root zone operated by Verisign skyrocketed on November 30.

Image: Verisign

Someone launched a traffic attack against a critical part of the internet that allows people to find websites by a domain name rather than a long string of numbers.

Between November 30 and December 1, distributed denial-of-service attacks were carried out against the internet's root name servers, a set of 13 server networks that are at the root of the domain-name system, or DNS, sometimes called the internet's address book.

The root server zones contain information that allows browsers to find top-level domains such as .com, .org, .net, and the country-specific domains attached to them.

According to an incident report by root-servers.org, "most, but not all" DNS root name servers were experiencing five million queries per second, which was enough junk traffic to prevent some normal queries.

"The incident traffic saturated network connections near some DNS root name server instances. This resulted in timeouts for valid, normal queries to some DNS root name servers from some locations," it noted.

Kaspersky reveals 'almost invisible' hacking attack on its systems

Security company found malware, related to Duqu, when testing a new antivirus tool.

Read More

The 13 named authorities of the DNS root server zones -- which are labelled A through to M -- include Verisign, which operates two of them, the University of Southern California, Cogent Communications, the University of Maryland, NASA's AMES Research Centre, the Internet Systems Consortium, the US Department of Defense, the US Army, Sweden's Netnod, Europe's internet registry RIPE NCC, ICANN, and Japan's WIDE Project.

Statistics for the A-root zone managed by Verisign show it has received no more than 10 billion UDP queries per day over the past two years. But during the incident it received over 50 billion UDP queries in a single day.

However, the root server system has built-in redundancy, and according to the incident report end-users are unlikely to have noticed the attack beyond a "barely perceptible initial delay" in some web browsers or client programs use the file-transport protocol (FTP) or SSH.

"There are no known reports of end-user visible error conditions during, and as a result of, this incident," it reported.

"Because the DNS protocol is designed to cope with partial reachability among a set of name servers, the impact was, to our knowledge, limited to potentially minor delays for some name lookups when a recursive name server needs to query a DNS root name server (eg a cache miss). This would have manifested itself as a barely perceptible initial delay in some web browsers or other client programs (such as "ftp" or "ssh")."

Exactly who would want to attack DNS root servers remains a mystery. As the report notes, IP source addresses can be easily spoofed, making it difficult to locate the source of the attack traffic.

However, it did hint that ISPs should be implementing network ingress filtering, currently considered a best practice under BCP-38 by the Internet Engineering Task Force, or IETF.

This measure would help ISP networks prevent attackers hitting targets with spoofed IP source packets.

Read more about hack attacks