Beruflich Dokumente
Kultur Dokumente
DDoS
The Nov. 2015 DNS Root Event
Presented by
Anycast vs. DDoS: Evaluating the November 2015 DNS Root Event
In: ACM Internet Measurement Conference (IMC), 2016, Santa Monica, USA.
Technical Report ISI-TR-2016-708, USC/Information Sciences Institute, May 2016
• http://www.isi.edu/~johnh/PAPERS/Moura16a.pdf
Distributed Denial of Service
Distributed Denial of Service
? ?
Distributed Denial of Service
? ?
Distributed Denial of Service
Big and getting bigger
2012: 100 Gb/s
2016: 100 Gb/s is common, >1 Tb/s is possible
More than
150,000 DDoS
in two years
with profit of
US$ 600,000
Distributed Denial of Service
Big and getting bigger
2012: 100 Gb/s
2016: 100 Gb/s is common, >1 Tb/s is possible
Servers
ess are withdraw or absorb; r1 ... rn (internal
s vs. capacity per catchment load balancing)
Servers
ess are withdraw or absorb; r1 ... rn (internal
s vs. capacity per catchment load balancing)
Servers
ess are withdraw or absorb; r1 ... rn (internal
Verticalper
s vs. capacity distribution
catchment load balancing)
Measurement data:
Built-in periodical CHAOS queries @Atlas
RSSAC-002 data
BGPmon
The Impact of the Attack
Servers
ess are withdraw or absorb; r1 ... rn (internal
s vs. capacity per catchment load balancing)
2000
B C
0
What was the impact?
5000
D, L, M 0
I J
9000
6000
K A D L M
0
0 5 10 15 20 25 30 35 40 45 0 5 10 15 20 25 30 35 40 45
hours after 2015-11-30t00:00 UTC
The Impact of the Attack
350
B-Root
G-Root C-Root
300 G-Root
H-Root
K-Root
250
What was the impact?
0
0 5 10 15 20 25 30 35 40 45
hours after 2015-11-30t00:00 UTC
The Impact of the Attack
Servers
ess are withdraw or absorb; r1 ... rn (internal
s vs. capacity per catchment load balancing)
s (50 What
Mq/s, an
wasupper
thebound),
impact ...
Sites
s1 s33 (unique location
ly traffic
at individual sites? and BGP route)
vere loss (1% to 95%)
ss each letter’s anycast sites; Root letters
a b c ... k l m
ict user-observed loss at sites (unique IP
sites; anycast addr.)
overloaded sites (recursive resolver
s su↵ered disproportionately user and its root.hints)
ccurred to co-located services
Figure 1: Root DNS structure, terminology, and mech-
anisms in use at each level.
ons in this paper.
The Impact of the Attack
~48 hours (one response per pixel)
300 VPs (one per pixel)
FRA
LHR
AMS
FRA
LHR
AMS
Site flipping
The Impact of the Attack
Zoomed in: 40 VPs initially reaching LHR site
LHR
AMS
Nov. 30th
06:50 - 09:30 (UTC)
The Impact of the Attack
K-FRA-S2
K-FRA-S3
700
What was the impact? 600
K-FRA-S2
K-FRA-S3
500
400
Impact at sites may depend... 300
200
... on load balancing 100
number of VPs
... on link resource 0
540
number of VPs
120 D-SYD
100
D-Root was not targeted...
80
... but felt the attack 60 D-AKL
40 D-DUB
20 D-BUR
0
0 5 10 15 20 25 30 35 40 45
hours after 2015-11-30t00:00 UTC
540
number of VPs
120 D-SYD
100
D-Root was not targeted...
80
... but felt the attack 60 D-AKL
40 D-DUB
20 D-BUR
0
0 5 10 15 20 25 30 35 40 45
hours after 2015-11-30t00:00 UTC
NL-FRA
NL-AMS
NO traffic in FRA and AMS
0 7 29 45
hours after 2015-11-30t00:00 UTC
The Lessons Learned
Things are escalating pretty fast and apparently we are not fully aware of
what we are dealing with.
r.schmidt@utwente.nl
http://www.ricardoschmidt.com
Acknowledgements:
Arjen Zonneveld, Jelte Jansen, Duane Wessels, Ray Bellis, Romeo Zwart, Colin Petrie,
Matt Weinberg and Piet Barber