21 Oct 2002 Root Server Denial of Service Attack - Report
ISC/UMD/Cogent Paul Vixie, ISC OCTOBER21.TXT Gerry Sneeringer, UMD November 24, 2002 Mark Schleifer, Cogent
Events of 21-Oct-2002
Abstract: On October 21, 2002, the Internet Domain Name System's root name servers sustained a denial of service attack. This report explains the nature and impact of the attack, based on previously and publically available information.
Nature of Attack
- A coordinated DDoS (distributed denial of service) attack was launched at approximately 2045UTC and lasted until approximately 2200UTC. All thirteen (13) DNS root name servers were targeted simultaneously.
- Attack volume was approximately 50 to 100 Mbits/sec (100 to 200 Kpkts/sec) per root name server, yielding a total attack volume was approximately 900 Mbits/sec (1.8 Mpkts/sec).
- Attack traffic contained ICMP, TCP SYN, fragmented TCP, and UDP.
- Attack source addresses were mostly randomized, chosen within netblocks which were mostly present in the routing table at the time of the attack.
Impact of Attack
- Some root name servers were unreachable from many parts of the global Internet due to congestion from the attack traffic delivered upstream/nearby. While all servers continued to answer all queries they received (due to successful overprovisioning of host resources), many valid queries were unable to reach some root name servers due to attack-related congestion effects, and thus went unanswered.
- Several root name servers were reachable by inside-metro queries but not from outside-metro, due to attack-related congestion on wide area links connecting that metro to other parts of the world wide Internet.
- Several root name servers were continuously reachable from virtually all monitoring stations for the entire duration of the attack, due to successful overprovisioned at the network level (through a combination of multiple locations, fat pipes, hardware switched load balancing, and high path splay).
- There are no known reports of end-user visible error conditions during, and as a result of, this attack. Because the DNS protocol is designed to cope with partial reachability among a set of name servers, there may have been a minor delay (on the order of several seconds) for some name lookups. This would have manifested itself as a barely perceptible initial delay in some web browsers or other client programs (such as "ftp" or "ssh").
- Wide scale visibility of this attack came about only as a result of health monitoring projects around the Internet, usually in the form of "strip chart" graphics showing response time variance of a periodic, simple query against some set of servers, including root name servers.
- This attack was unusual in that it was synchronized to take place against all thirteen (13) root name servers simultaneously. Other types of attacks, against only one server at a time, are more common.
- The system functioned as designed, demonstrating overall robustness in the face of a concerted, synchronized attack against all thirteen (13) root servers.
- Due to the fact that IP source addresses are trivial to forge, there is little correlation between the apparent source of an attack and the actual source of an attack. Therefore, tracking this attack back to its source will be a challenge. In any case its source (if typical for DDoS attacks) will be a large number of "drones", each sending only a small amount of traffic, using randomized source addresses within mostly valid netblocks.
- While the root server system is continuously upgraded even in normal times, and is massively overprovisioned to make it robust against attacks or network failures, the 21-Oct-2002 attack has given cause for faster than normal upgrades, including increased peering and transit connectivity, and wide area server mirroring in order to collect attack flows in diverse locations and prevent an attack from concentrating on small numbers of network congestion points.
Paul Vixie Internet Software Consortium 950 Charter Street Redwood City, CA 94063 +1.650.779.7001 <email@example.com>
Gerry Sneeringer University of Maryland Office of Information Technology College Park, MD 20742 +1.301.405.3003 <firstname.lastname@example.org>
Mark Schleifer Cogent Communications 1015 31st St, NW Washington, DC 20007 +1.202.295.4200 <MSchleifer@Cogentco.com>
- BIND 10
- Other Software Projects
- security advisories
- software forums
- ABOUT ISC