DDoS-attack on root DNS servers turned out to be an advertising campaign.
The attack on rutovny DNS servers, fixed in the beginning of February, perhaps, was a kind of advertising campaign. "Advertisers" have demonstrated their potential in organizing large-scale attacks using botnets. This version was put forward in a special document by representatives of ICANN - the organization for the appointment of domain names, Darkreading.com reports.
David Ulevich, CEO of DNS services at OpenDNS and EveryDNS, agrees that the promotion version looks very interesting: “ their customized use. This is not about a test attack in preparation for a global campaign against the DNS servers themselves, but about how to demonstrate the potential of botnets to someone who can use this potential against less secure targets. ” According to Ulevich, a new similar attack is possible, but it is unlikely to destabilize the operation of servers.
The February attack on root DNS servers proved how effective their method of protection is using anycast technology. This technology involves locating the IP address of the DNS server simultaneously on several physical (hardware) servers, and a DNS query sent to anycast address is delivered to the nearest server. Five DNS servers that are not yet using anycast will be transferred to it soon, ICANN representatives said.
The document that ICANN has compiled for an audience without special technical training also draws attention to the attack power, expressed in numbers. The traffic flow directed to some root servers reached 1 Gbit / s, which is equivalent to 13 thousand emails per second or 1.5 million emails in 2 minutes. The attack began at about 7 am and lasted 2.5 hours. The second wave of DDOS attacks began in three and a half hours and lasted 5 hours. The ICANN report confirms early assessments that the attack has affected “limited” Internet users. The document also confirmed the previous hypotheses regarding the possible territory of origin of the attack - it turned out to be one of the countries of the East Asian region. However, so far there is no convincing evidence that the botnet was located precisely on the territory of the Republic of Korea.
')
According to ICANN, the attack could be made from the territory of several countries at once. However, taking into account the fact that IP addresses from which requests to DNS servers were sent could have been simulated, it cannot be stated unequivocally. It is possible that the source of the attack could be the so-called zombie machines, located in any other part of the world.
Most of the load was placed on the DNS server G, located in Ohio and administered by the US Department of Defense, as well as on server I, located in California and administered by ICANN. These two servers were the only ones from the six attacked that did not use anycast. According to ICANN representatives, the incomplete implementation of anycast technology was a conscious decision of the operators of the root. “There were concerns that the presentation of several different servers as a single entry point could create a security risk,” the document says. According to the plan of operators, it was necessary to first conduct tests on several servers, and then eliminate the shortcomings.
To counter future attacks, ICANN last year recommended DNS operators to confirm IP addresses of request sources and only accept requests from trusted resources (for example, their own clients). ICANN acknowledged that the recommendations were met "with mixed success."
Source: www.viruslist.com/ru/news?id=207391851
Original source: www.darkreading.com/document.asp?doc_id=119128
David Ulevich, CEO of DNS services at OpenDNS and EveryDNS, agrees that the promotion version looks very interesting: “ their customized use. This is not about a test attack in preparation for a global campaign against the DNS servers themselves, but about how to demonstrate the potential of botnets to someone who can use this potential against less secure targets. ” According to Ulevich, a new similar attack is possible, but it is unlikely to destabilize the operation of servers.
The February attack on root DNS servers proved how effective their method of protection is using anycast technology. This technology involves locating the IP address of the DNS server simultaneously on several physical (hardware) servers, and a DNS query sent to anycast address is delivered to the nearest server. Five DNS servers that are not yet using anycast will be transferred to it soon, ICANN representatives said.
The document that ICANN has compiled for an audience without special technical training also draws attention to the attack power, expressed in numbers. The traffic flow directed to some root servers reached 1 Gbit / s, which is equivalent to 13 thousand emails per second or 1.5 million emails in 2 minutes. The attack began at about 7 am and lasted 2.5 hours. The second wave of DDOS attacks began in three and a half hours and lasted 5 hours. The ICANN report confirms early assessments that the attack has affected “limited” Internet users. The document also confirmed the previous hypotheses regarding the possible territory of origin of the attack - it turned out to be one of the countries of the East Asian region. However, so far there is no convincing evidence that the botnet was located precisely on the territory of the Republic of Korea.
')
According to ICANN, the attack could be made from the territory of several countries at once. However, taking into account the fact that IP addresses from which requests to DNS servers were sent could have been simulated, it cannot be stated unequivocally. It is possible that the source of the attack could be the so-called zombie machines, located in any other part of the world.
Most of the load was placed on the DNS server G, located in Ohio and administered by the US Department of Defense, as well as on server I, located in California and administered by ICANN. These two servers were the only ones from the six attacked that did not use anycast. According to ICANN representatives, the incomplete implementation of anycast technology was a conscious decision of the operators of the root. “There were concerns that the presentation of several different servers as a single entry point could create a security risk,” the document says. According to the plan of operators, it was necessary to first conduct tests on several servers, and then eliminate the shortcomings.
To counter future attacks, ICANN last year recommended DNS operators to confirm IP addresses of request sources and only accept requests from trusted resources (for example, their own clients). ICANN acknowledged that the recommendations were met "with mixed success."
Source: www.viruslist.com/ru/news?id=207391851
Original source: www.darkreading.com/document.asp?doc_id=119128
Source: https://habr.com/ru/post/5213/
All Articles