Some on this list may find the following information interesting.
Note that the root name servers are protected by "anycast" and they are crediting that with resisting the attack.
John
-------- Forwarded Message --------
From: Sue Graves Sue_Graves@isc.org To: bind-announce@isc.org Subject: ISC Bulletin #1 Date: Tue, 13 Feb 2007 19:49:41 -0800
This communication is intended for anyone interested in more information on the DDoS attack of last week.
As you are probably aware, there was an attack on several of the root nameservers early Tuesday morning of last week. ISC operates f.root.servers.net (F-root), one of the 13 root nameservers that was targeted. The attack was a 'distributed denial of service' (DDoS) attack, in which attackers tried to disable root DNS service by overwhelming the network paths to the root servers with malicious packets meant to pass as legitimate DNS traffic. Overall, root name service as provided by F-root was not compromised. The distributed F-root architecture includes a mix of global and local anycast nodes. The global nodes and the local Asian nodes showed some degradation during the first two hours, but others were unaffected. David Knight, of ISC's Operations group, made a brief presentation at the North American Network Operators' Group (NANOG) conference the next morning. The slides, which include some technical detail on the attack, can be found at: http://www.nanog.org/mtg-0702/presentations/knight.pdf
ISC began using anycast in a single location in 1998. Wider deployment began in Madrid in 2002. We're pleased to report that anycast worked just as expected. Anycast deployment helped counter this attack by fragmenting it into smaller pieces that were easier to deal with, as well as isolating the effects into the area of greatest concentration of sources of the attack. This left other regions far from the sources with a completely unaltered service. Overall, the increase in aggregated network bandwidth, CPU power and service capacity helped make this attack non-disruptive for the Internet at large.
As a customer of ISC, you are well aware of our software development skills, however, you may not be aware of our additional expertise in DNS operations. The F-root nameservers answer over 15,000 queries per second globally. F is deployed at 40 sites in 32 different countries. Anycast makes sense for us, it might make sense for you. You can learn more about F-root at: http://www.isc.org/ops/f-root/. Specifics about anycast can be found at: http://www.isc.org/pubs/tn/?tn=isc-tn-2003-1.html.
You may not be aware that we offer secondary hosting on a best-effort basis at no charge to many xxTLD's, ISC customers and non-profits. If you're interested in learning more about whether anycast would be of benefit in your network, or in our secondary hosting, please contact us at info@isc.org.
If you'd like to learn more about DNS issues on a global scale, you should consider OARC (http://public.oarci.net/). ISC's OARC (Operational Analysis and Research Center) played a key supportive role during the attack. OARC facilitated a coordinated response via secure real-time communications between root and top-level domain server operators and other OARC members.
Post-attack, OARC is using its infrastructure and working with members to gain understanding of the attack's source and impact. This includes uploading data using OARC's DSC and PCAP tools from affected server operators to our NSF-funded 4TB data repository. From there it is available for analysis by members and the research community, to gain further understanding of the causes and how to prevent future such attacks.
OARC membership and resources are open to all large-scale DNS operators, implementers, active researchers and law enforcement agencies. OARC also provides a number of tools and mailing lists open to DNS operators of all types. Please contact OARC Programme Manager Keith Mitchell admin@oarc.isc.org for more information.
The presentation is interesting for a number of reasons (interesting uses of RRDTool for one)... I didn't know that one of the F root servers was in Ottawa.
Sean
On 2/16/07, John Lange john.lange@open-it.ca wrote:
Some on this list may find the following information interesting.
Note that the root name servers are protected by "anycast" and they are crediting that with resisting the attack.
John
-------- Forwarded Message --------
From: Sue Graves Sue_Graves@isc.org To: bind-announce@isc.org Subject: ISC Bulletin #1 Date: Tue, 13 Feb 2007 19:49:41 -0800
This communication is intended for anyone interested in more information on the DDoS attack of last week.
As you are probably aware, there was an attack on several of the root nameservers early Tuesday morning of last week. ISC operates f.root.servers.net (F-root), one of the 13 root nameservers that was targeted. The attack was a 'distributed denial of service' (DDoS) attack, in which attackers tried to disable root DNS service by overwhelming the network paths to the root servers with malicious packets meant to pass as legitimate DNS traffic. Overall, root name service as provided by F-root was not compromised. The distributed F-root architecture includes a mix of global and local anycast nodes. The global nodes and the local Asian nodes showed some degradation during the first two hours, but others were unaffected. David Knight, of ISC's Operations group, made a brief presentation at the North American Network Operators' Group (NANOG) conference the next morning. The slides, which include some technical detail on the attack, can be found at: http://www.nanog.org/mtg-0702/presentations/knight.pdf
ISC began using anycast in a single location in 1998. Wider deployment began in Madrid in 2002. We're pleased to report that anycast worked just as expected. Anycast deployment helped counter this attack by fragmenting it into smaller pieces that were easier to deal with, as well as isolating the effects into the area of greatest concentration of sources of the attack. This left other regions far from the sources with a completely unaltered service. Overall, the increase in aggregated network bandwidth, CPU power and service capacity helped make this attack non-disruptive for the Internet at large.
As a customer of ISC, you are well aware of our software development skills, however, you may not be aware of our additional expertise in DNS operations. The F-root nameservers answer over 15,000 queries per second globally. F is deployed at 40 sites in 32 different countries. Anycast makes sense for us, it might make sense for you. You can learn more about F-root at: http://www.isc.org/ops/f-root/. Specifics about anycast can be found at:
http://www.isc.org/pubs/tn/?tn=isc-tn-2003-1.html.
You may not be aware that we offer secondary hosting on a best-effort basis at no charge to many xxTLD's, ISC customers and non-profits. If you're interested in learning more about whether anycast would be of benefit in your network, or in our secondary hosting, please contact us at info@isc.org.
If you'd like to learn more about DNS issues on a global scale, you should consider OARC (http://public.oarci.net/). ISC's OARC (Operational Analysis and Research Center) played a key supportive role during the attack. OARC facilitated a coordinated response via secure real-time communications between root and top-level domain server operators and other OARC members.
Post-attack, OARC is using its infrastructure and working with members to gain understanding of the attack's source and impact. This includes uploading data using OARC's DSC and PCAP tools from affected server operators to our NSF-funded 4TB data repository. From there it is available for analysis by members and the research community, to gain further understanding of the causes and how to prevent future such
attacks.
OARC membership and resources are open to all large-scale DNS operators, implementers, active researchers and law enforcement agencies. OARC also provides a number of tools and mailing lists open to DNS operators of all types. Please contact OARC Programme Manager Keith Mitchell admin@oarc.isc.org for more information.
Roundtable mailing list Roundtable@muug.mb.ca http://www.muug.mb.ca/mailman/listinfo/roundtable
-
John Lange -
Sean Walberg