On Saturday Aug 7th , 2010, DNS provider DNS Made Easy was the target of a very large denial of service attack. As far as can be determined the total traffic volume exceeded 40 Gigabit/second, enough to saturate 1 million dialup Internet lines. Several of DNS Made Easy’s upstream providers had saturated backbone links themselves. There are indications that not only DNS Made Easy suffered from this attack, but the Internet as a whole.
An attack on DNS is an attack on the Internet in two ways. Name servers are a critical point in almost every Internet access. But as our research shows, the consequences of this attack were wider than the attack’s primary target.
According to DNS Made Easy, service impact was limited. According to our measurements it was around 5-10% on a global basis.
“In some regions there were no issues, in other regions outages lasted a few minutes, while in other regions there were sporadic (up and down) outages for a couple of hours. In Europe for instance there was never any downtime. In Asia downtime continued longer than other regions. In United States the west coast was hit much harder and experienced issues longer than the central and east coast.”
DNS was designed from the ground up to be resilient to individual server failures. In theory this should make the loss of a few servers irrelevant. On top of this, the provider has implemented an anycast routing infrastructure, which works to ensure that DNS queries all over the world are resolved regionally. Note that because of the anycast routing of this provider, outages are related to the location where the clients (resolvers) are located, not the servers whose names are being queried.
However, measurements/analyses that I made in collaboration with WatchMouse.com have uncomfortable implications. WatchMouse regularly measures the performance, including the DNS resolve time of thousands of sites, through a network of more than 40 stations spread over all continents.
In a dataset with sites whose DNS records were served by the provider, resolve times rose from a normal average of less than 100 milliseconds, to over 200 milliseconds in the hours of the attack. Average failure rates in this dataset are around 1%. During the attack hours, this rose to 5% and even 10%. As can be expected, these failure rates differed greatly by monitoring station, though it is hard to see a geographical pattern.
Another dataset consists of regular measurements of more than 300 sites, with a total of more than 300.000 individual measurements over a period of 8 days. In contrast, none of these sites had their DNS service from DNS Made Easy. These sites are operated by a wide variety of industries.
On the seven days leading up to the attack, the daily average DNS resolution time in this dataset was between 352 milliseconds and 379 milliseconds. On the 7th of August, the average was 453 milliseconds, which is a significantly higher. Averaged by the hour, resolution times rose to 600 and even 800 milliseconds. There are failure rate fluctuations in this dataset, but they appear to be uncorrelated to the attack.
Note that these measurements support the provider’s claim of shorter resolve times. A regular DNS lookup takes 350 milliseconds, but DNS Made Easy’s average is less than 100 milliseconds.
In conclusion, these results are disturbing because even sites that are TOTALLY UNRELATED to DNS Made Easy were affected in their response times. The implication of this is that this denial of service attack was big enough to have collateral damage on the rest of the Internet.
One Comment on “An attack on DNS is an attack on the Internet”
pve19 August 2010 at 07:14
>This article is discussed in more detail on CircleID, http://www.circleid.com/posts/an_attack_on_dns_is_an_attack_on_the_internet/