DNS root server attack was not aimed at root servers – infosec bods

Target appears to have been two Chinese domain names

The internet's root servers were not the target of a distributed denial-of-service (DDoS) attack in December which for a short time took out four of the 13 pillars of the global network.

That's according to two security researchers who will present their findings at a conference in Argentina on Friday. Instead, they conclude the likely target of the massive assault was two seemingly obscure domain names registered in China.

Matt Weinberg and Duane Wessels work as DNS specialists for Verisign, the US company that operates two root servers and also approves changes to the internet root zone. Weinberg and Wessels carried out an extensive investigation into the flood of junk traffic that most root servers received on 30 November and 1 December 2015. A copy of their presentation [PPTX] is now available online.

The two make a number of conclusions. First that a relatively new system for combating DDoS attacks – response rate limiting (RRL) – proved effective, reducing the volume of traffic by 60 per cent.

They also conclude that although all but three of the root servers received heavy traffic, causing four to drop offline for a short period of time, the attack was not directed at the root servers, but at two specific domain names – 336901.com and 916yy.com – which do not currently resolve and which are both registered in China with fake or anonymous details.

Terrorist involvement?

Despite what security expert John McAfee claimed following the assault, the researchers remain convinced that the IP source addresses from which the invasion originated were spoofed. They link to a video that would appear to show that there is clearly a computer program generating spoofed addresses, and provide a number of graphical representations of the attack traffic that appear to back up their point.

There is no mention in the report of claims that the DDoS attack stemmed from a smartphone app reportedly used by the Islamic State to spread news and propaganda (the ISIS Amaq News Agency app).

McAfee claimed in response to earlier information from the invasion that IP addresses were spread broadly across the IPv4 address space, which would be "virtually impossible using spoofing." However, Weinberg and Wessels say there were in fact three different assaults going on at the same time: a broad but low-volume attack coming from a huge number of IP address (895 million of them, as McAfee mentioned) and then two more high-volume attacks that cycled through IP address blocks. There were just under 5,000 IP addresses that accounted for 86 per cent of the traffic and of them, only 200 accounted for 68 per cent of the attack traffic.

The researchers identify that it was a specific attack (as opposed to a random error) with command and control instructions being identified, and that the attack occurred through a botnet that used the well-known "BillGates" malware.

That doesn't mean the theory of a new ISIS DDoS app is wrong. It's just not as likely as the pre-existing situation where there are a number of botnets across the world used to carry out such assaults.

Halting the attacking required expert interference: DNS specialists reviewed the attack traffic and developed a filter to cut it out. When the root server operators agreed and installed it, the attack traffic was killed stone dead.

While the researchers note that hitting the Enter key and killing off the attack instantly was very satisfying, they warn that having a system that requires expert analysis and manual deployment is far from ideal. Such an approach does bring with it the risk of unintended consequences.

Mitigation: RRL standard helped cut attack traffic, but a manual filter was required to kill it

Why did the assault happen at all? That's still hard to know. The domain names that are at the center of things don't appear to have any special relevance, although it is possible they were being used for some nefarious purposes to the extent that someone decided they needed to be taken down. But that's pure speculation.

As to how to limit the impact of future attacks: the RRL improvement that was first introduced in version 9.9.4 of the BIND software used by a large number of root servers in September 2013 helped significantly. But the size of the attack was such that it didn't prevent significant problems.

A better solution – as ever – is for all ISPs to implement existing best practices (such as the BCP 38 standard) and so limit the ability to spoof attacks.

Another solution that has been put forward by the creator of RRL – former operator of the F-root server Paul Vixie – is to develop a liability model that would penalize network operators that allow attack traffic to flow across their networks.

In that sense, this week's presentation lists the top 20 ASN numbers and their owners through which most of the assault traffic flowed. Of the 20, nine are in the United States and five are in China.

Top of the list: Purevoltage Enterprises based in Seattle.

If the world's governments take their pledges to work on cybersecurity seriously, details such as who is responsible for the networks across which the bulk of attack traffic is crossing could prove useful. ®

Similar topics

Broader topics

Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022