What would be the benefits of creating 5 million queries per second for a DNS Root Name Server? A transparency report published by Root Server Operators announcing that two separate but could be connected event had occurred targeting DNS Root Name servers.
According to the document, “On November 30, 2015 and December 1, 2015, over two separate intervals, several of the Internet Domain Name System’s root name servers received a high rate of queries. While it’s common for the root name servers to see anomalous traffic, including high query loads for varying periods of time, this event was large, noticeable via external monitoring systems, and fairly unique in nature, so this report is offered in the interests of transparency.”

DNS Root Name Server Events

The first one took approximately two hours and forty minutes. The heavy load queries during the event were valid DNS type and requested for a single domain. The second similar event took approximately one hour but for different domain.
The source addresses of these particular queries appear to be randomized and distributed throughout the IPv4 address space. The observed traffic volume due to this event was up to approximately 5 million queries per second, per DNS root name server letter receiving the traffic.
The incident traffic saturated network connections near some DNS root name server instances. This resulted in timeouts for valid, normal queries to some DNS root name servers from some locations.
“There were no known reports of end-user visible error conditions during, and as a result of, this incident. Because the DNS protocol is designed to cope with partial reachability among a set of name servers, the impact was, to our knowledge, limited to potentially minor delays for some name lookups when a recursive name server needs to query a DNS root name server (e.g. a cache miss).” report says.

DNS Root Name Server Report Analysis

In the analysis section, it was stated that “This event was notable for the fact that source addresses were widely and evenly distributed, while the query name was not. This incident, therefore, is different from typical DNS amplification attacks whereby DNS name servers (including the DNS root name servers) have been used as reflection points to overwhelm some third party. Source Address Validation and BCP38 should be used wherever possible to reduce the ability to abuse networks to transmit spoofed source packets.”
When I had finished reading the report, thought that this may be a practice operation for a powerful cyber-attack system which uses the type of DDoS techniques. “The source addresses were widely distributed” clause is very remarkable. We can understand that the real source is remain unknown.
In the technology era, we should expect that these kind of incidents will happen more often. Taking precautions and increasing the awareness for individuals and establishments is so important. Anyone or any system could be a slave for this type of attack in the future without knowing. I prepared this blog post for giving information and emphasize importance of the subject.