Root Server Operators rootops June 29, 2016 Events of 2016-06-25 Abstract On June 25, 2016 all of the Internet Domain Name System's root name servers received a high rate of TCP SYN and ICMP traffic. This report explains the nature and impact of the incident. While it's common for the root name servers to see anomalous traffic, including high query loads for varying periods of time, this event was large, noticeable via external monitoring systems, and fairly unique in nature, so this report is offered in the interests of transparency. 1. Nature of Traffic On June 25, 2016 at 21:45 UTC DNS root name servers began receiving a high rate of TCP SYN packets in what looks very much like a SYN flood attack, as well as ICMP packets. These packets continued until approximately June 26 00:41 UTC. All DNS root name server letters received this traffic. DNS root name servers that use IP anycast observed this traffic at a majority of anycast sites. The source addresses of these particular queries appear to be randomized and distributed throughout the IPv4 address space. The observed traffic volume due to this event was up to approximately 10 million packets per second, per DNS root name server letter. In bandwidth terms it was approximately 17 Gb/s per letter. 2. Impact of Traffic The incident traffic saturated network connections near some DNS root name server instances. This resulted in timeouts for valid, normal queries to some DNS root name servers from some locations. Several DNS root name servers were continuously reachable and responsive from virtually all monitoring stations for the entire duration of the incident. There are no known reports of end-user visible error conditions rootops [Page 1] Events of 2016-06-25 June 2016 during, and as a result of, this incident. Because the DNS protocol is designed to cope with partial reachability among a set of name servers, the impact was, to our knowledge, limited to potentially minor delays for some name lookups when a recursive name server needed to query a DNS root name server (e.g. a cache miss concerning a TLD). This would have manifested itself as a barely perceptible initial delay in some web browsers or other client programs (such as "ftp" or "ssh"). Visibility of this event came about as a result of health monitoring by DNS root name server operators and other monitoring projects around the Internet. Often these are in the form of "strip chart" graphics showing response time variance of a periodic simple query against some set of servers, including DNS root name servers. Such test traffic may or may not be indicative of what happens to normal traffic or user experience. 3. Analysis This event was notable for the fact that source addresses were widely and evenly distributed and consisted of TCP SYN and ICMP packets. This incident, therefore, is different from typical DNS amplification attacks whereby DNS name servers (including the DNS root name servers) have been used as reflection points to overwhelm some third party. The DNS root name server system functioned as designed, demonstrating overall robustness in the face of large-scale traffic floods observed at DNS root name servers. Due to the fact that IP source addresses can be easily spoofed, and because event traffic landed at large numbers of anycast sites, it is unrealistic to trace the incident traffic back to its source. Source Address Validation and BCP-38 ingress filtering should be used wherever possible to reduce the ability to abuse networks to transmit spoofed source packets. rootops [Page 2]