Despite the minimal impact on end users, however, the attack was by no means a non-event. A torrent of five million queries a second that hits most of the root servers for an hour or more represents a formidable amount of computing power and bandwidth. The volume represents as much as a 250-fold increase over the normal load placed on a typical root server, Keith Mitchell, president of the Domain Name System Operations Analysis and Research Center, told Ars. Mitchell cited slide six of this presentation showing root servers receiving from 20,000 to 50,000 queries per second.
Perhaps more concerning, the junk queries were received by name servers that use IP Anycast, a network routing method that assigns the same public IP address to multiple geographically dispersed servers. Since the attack was observed hitting Anycast machines, that means the significant resources that made them possible were also geographically dispersed rather than being from a handful of sources in just a few locations.
“This event was notable for the fact that source addresses were widely and evenly distributed, while the query name was not,” an advisory published Friday noted. “This incident, therefore, is different from typical DNS amplification attacks whereby DNS name servers (including the DNS root name servers) have been used as reflection points to overwhelm some third party.”
A large botnet of infected computers or other Internet-connected devices is the most plausible explanation for such an attack. That would explain how the attack occurred, but it doesn’t shed any light on why it was carried out. It has also renewed calls for networks to implement BCP 38, an Internet Engineering Task Force standard for defeating IP address spoofing. Many networks enforce it, but some still don’t, and they’re the ones making such attacks possible.
Post updated in the fifth paragraph to add details about the number of queries per second normally received by root servers.