Skip to main content

Internet root servers struck by prolonged DDoS attack

Last week, the Internet DNS root servers were subjected to a prolonged and concerted distributed denial of service attack. The DDoS attack started on 30 November between 06.50 and 09.30 UTC, with some of the 13 major DNS root servers receiving up to 5 million DNS queries per second.

These were genuine DNS queries for a specific domain name but the traffic was sufficient to flood network connections and server resources on 4 of 13 Internet root servers.

Root servers are the common name given to the Internets authoritative name servers that serve the DNS zone. These root servers are part of a network of hundreds of servers located around the world that provide authoritative domain name to IP address resolution.

The motives for such an attack are still not clear as disabling a root server will not have a severe impact on the Internet as there are hundreds of thousands of other DNS servers managing DNS queries. Despite this, any attack on the Internet infrastructure is taken extremely seriously.

Furthermore, as the root servers are at the very top of the DNS hierarchy they normally receive only limited amounts of traffic, and Anycast technology – whereby many servers share the same IP address and traffic is delivered to the closest node – should have prevented the 4 root servers from becoming overwhelmed.

Interestingly though the source of the DDoS is still not been disclosed, 3 of the 4 root servers affected were US managed by a University in California, the US Government and the US Army.

However, DDoS attacks on the DNS root servers are very rare with the last notable attack being back in 2007.

Image source: Shutterstock/sibgat