Root Server Operators rootops http://root-servers.org December 4, 2015 Events of 2015-11-30 Abstract On November 30, 2015 and December 1, 2015, over two separate intervals, several of the Internet Domain Name System's root name servers received a high rate of queries. This report explains the nature and impact of the incident. While it's common for the root name servers to see anomalous traffic, including high query loads for varying periods of time, this event was large, noticeable via external monitoring systems, and fairly unique in nature, so this report is offered in the interests of transparency. 1. Nature of Traffic On November 30, 2015 at 06:50 UTC DNS root name servers began receiving a high rate of queries. The queries were well-formed, valid DNS messages for a single domain name. The elevated traffic levels continued until approximately 09:30 UTC. On December 1, 2015 at 05:10 UTC DNS root name servers again received a similar rate of queries, this time for a different domain name. The event traffic continued until 06:10 UTC. Most, but not all, DNS root name server letters received this query load. DNS root name servers that use IP anycast observed this traffic at a significant number of anycast sites. The source addresses of these particular queries appear to be randomized and distributed throughout the IPv4 address space. The observed traffic volume due to this event was up to approximately 5 million queries per second, per DNS root name server letter receiving the traffic. 2. Impact of Traffic The incident traffic saturated network connections near some DNS root name server instances. This resulted in timeouts for valid, normal queries to some DNS root name servers from some locations. rootops [Page 1] Events of 2015-11-30 December 2015 Several DNS root name servers were continuously reachable from virtually all monitoring stations for the entire duration of the incident. There are no known reports of end-user visible error conditions during, and as a result of, this incident. Because the DNS protocol is designed to cope with partial reachability among a set of name servers, the impact was, to our knowledge, limited to potentially minor delays for some name lookups when a recursive name server needs to query a DNS root name server (e.g. a cache miss). This would have manifested itself as a barely perceptible initial delay in some web browsers or other client programs (such as "ftp" or "ssh"). Visibility of this event came about as a result of health monitoring by DNS root name server operators and other monitoring projects around the Internet. Often these are in the form of "strip chart" graphics showing response time variance of a periodic simple query against some set of servers, including DNS root name servers. Such test traffic may not be indicative of what happens to normal traffic or user experience. 3. Analysis This event was notable for the fact that source addresses were widely and evenly distributed, while the query name was not. This incident, therefore, is different from typical DNS amplification attacks whereby DNS name servers (including the DNS root name servers) have been used as reflection points to overwhelm some third party. The DNS root name server system functioned as designed, demonstrating overall robustness in the face of large-scale traffic floods observed at numerous DNS root name servers. Due to the fact that IP source addresses can be easily spoofed, and because event traffic landed at large numbers of anycast sites, it is unrealistic to trace the incident traffic back to its source. Source Address Validation and BCP-38 should be used wherever possible to reduce the ability to abuse networks to transmit spoofed source packets. rootops [Page 2]