Internet DNS servers withstand huge DDoS attack

DNS is short for Domain Name System, the online service that converts server names into network numbers.

Without it, you wouldn’t be able to refer to a server called example.com – you’d have to remember 93.184.216.34 instead.

Actually, it’s even worse than that, because busy websites like www.facebook.com don’t have just one network number.

Big web properties may have racks and racks of customer-facing servers in operations centres all over the world, giving them a wide variety of network number ranges on a wide variety of different networks.

Busy sites typically use DNS to direct you to a specific server based on load levels, maintenance schedules, your current location, and so on, in order to improve speed, spread load and avoid bottlenecks.

In other words, DNS is extremely important, to the point that the internet would be unusable without it.

For that reason, DNS is implemented as a hierarchical, distributed global database, which is a fancy way of saying that no one DNS server holds the entire database, and no one server is critical to the operation of all the others.

For example, to figure out where nakedsecurity.sophos.com lives, your own company’s (or ISP’s) DNS server takes a top-down approach:

• Ask the so-called root servers, “Who looks after the .COM domain name data?”
• Ask the .COM part of the hierarchy, “Who is officially responsible for DNS for SOPHOS?”
• Ask the SOPHOS name servers, “Where do I go to read NAKEDSECURITY?”

Each DNS reply contains a Time To Live number, or TTL, that says how long to remember the answer, typically somewhere from 1 minute to 1 hour, after which the result is thrown away.

That greatly reduces the number of times a full, top-down hierarchical query is needed, while ensuring that the system can recover automatically from incorrect or outdated answers.

As you can imagine, the root servers are the key to the entire DNS service, because all as-yet-unknown answers must be requested by starting at the top.

So there are 13 root servers, prosaically named A to M, operated by 12 different organisations, on 6 different continents.

In fact, each “server” actually consists of a server farm of many physical servers in multiple locations, for reliability.

Server L, for example, is mirrored in 128 locations in 127 towns and cities (San Jose, California, hosts two instances) in 68 countries, from Argentina to Yemen.

Because you need to consult a root server by number to look up where the root servers are by name, DNS servers themselves keep a static numeric list of all the root servers.

Generally speaking, only one root server IP number ever changes at a time, and such changes are rare, so even an old root server list will work, at least to start with.

A DNS server with an outdated list can try each of the 13 roots in turn, until it figures out where to update to the latest list.

In short: DNS is surprisingly resilient, by design, and DDoSing it is correspondingly hard.

A DDoS, or distributed denial of service attack, is where a cybercriminal deliberately and repeatedly generates time-wasting internet requests to bog down an online service. Like prank callers to 911 or other emergency service phone numbers, this gets in the way of genuine traffic, to the detriment of legitimate users. Extreme internet DDoS attacks may even cause the targeted server, or the network it is on, to crash.

Unsurprisingly, however, the root servers do get DDoSed from time to time, sometimes on an astonishing scale.

Indeed, the Root Server Operators recently reported a DDoS on the last day of November 2015, and the first day of December, that reached 5,000,000 bogus requests per second per root server letter.

The total attack time was just under four hours, so the DNS root servers would have experienced close to 1 trillion (10¹²) bogus requests during the two attack windows.

There was some bad news:

The incident traffic saturated network connections near some DNS root name server instances. This resulted in timeouts for valid, normal queries to some DNS root name servers from some locations.

But some very good news as well:

Several DNS root name servers were continuously reachable from virtually all monitoring stations for the entire duration of the incident.

Simply put, the DNS root servers took an unprecendented hammering, but nevertheless stood firm, keeping the global DNS fully functional throughout.