[RndTbl] [Fwd: ISC Bulletin #1]

John Lange john.lange at open-it.ca
Fri Feb 16 13:23:03 CST 2007

Some on this list may find the following information interesting.

Note that the root name servers are protected by "anycast" and they are
crediting that with resisting the attack.


-------- Forwarded Message --------
> From: Sue Graves <Sue_Graves at isc.org>
> To: bind-announce at isc.org
> Subject: ISC Bulletin #1
> Date: Tue, 13 Feb 2007 19:49:41 -0800
> This communication is intended for anyone interested in more information
> on the DDoS attack of last week.
> As you are probably aware, there was an attack on several of the root
> nameservers early Tuesday morning of last week.  ISC operates
> f.root.servers.net (F-root), one of the 13 root nameservers that was
> targeted.  The attack was a 'distributed denial of service' (DDoS)
> attack, in which attackers tried to disable root DNS service by
> overwhelming the network paths to the root servers with malicious
> packets meant to pass as legitimate DNS traffic.  Overall, root name
> service as provided by F-root was not compromised. The distributed
> F-root architecture includes a mix of global and local anycast nodes.
> The global nodes and the local Asian nodes showed some degradation
> during the first two hours, but others were unaffected. David Knight, of
> ISC's Operations group, made a brief presentation at the North American
> Network Operators' Group (NANOG) conference the next morning. The
> slides, which include some technical detail on the attack, can be found
> at: http://www.nanog.org/mtg-0702/presentations/knight.pdf
> ISC began using anycast in a single location in 1998.  Wider deployment
> began in Madrid in 2002.  We're pleased to report that anycast worked
> just as expected.  Anycast deployment helped counter this attack by
> fragmenting it into smaller pieces that were easier to deal with, as
> well as isolating the effects into the area of greatest concentration of
> sources of the attack. This left other regions far from the sources with
> a completely unaltered service. Overall, the increase in aggregated
> network bandwidth, CPU power and service capacity helped make this
> attack non-disruptive for the Internet at large.
> As a customer of ISC, you are well aware of our software development
> skills, however, you may not be aware of our additional expertise in DNS
> operations. The F-root nameservers answer over 15,000 queries per second
> globally.  F is deployed at 40 sites in 32 different countries.  Anycast
> makes sense for us, it might make sense for you.  You can learn more
> about F-root at: http://www.isc.org/ops/f-root/.  Specifics about
> anycast can be found at: http://www.isc.org/pubs/tn/?tn=isc-tn-2003-1.html.
> You may not be aware that we offer secondary hosting on a best-effort
> basis at no charge to many xxTLD's, ISC customers and non-profits.  If
> you're interested in learning more about whether anycast would be of
> benefit in your network, or in our secondary hosting, please contact us
> at info at isc.org.
> If you'd like to learn more about DNS issues on a global
> scale, you should consider OARC (http://public.oarci.net/).  ISC's OARC
> (Operational Analysis and Research Center) played a key supportive role
> during the attack. OARC facilitated a coordinated response via secure
> real-time communications between root and top-level domain server
> operators and other OARC members.
> Post-attack, OARC is using its infrastructure and working with members
> to gain understanding of the attack's source and impact. This includes
> uploading data using OARC's DSC and PCAP tools from affected server
> operators to our NSF-funded 4TB data repository. From there it is
> available for analysis by members and the research community, to gain
> further understanding of the causes and how to prevent future such attacks.
> OARC membership and resources are open to all large-scale DNS operators,
> implementers, active researchers and law enforcement agencies. OARC also
> provides a number of tools and mailing lists open to DNS operators of
> all types. Please contact OARC Programme Manager Keith Mitchell
> <admin at oarc.isc.org> for more information.

More information about the Roundtable mailing list