The Root Servers were Attacked! (Or: Why is It So Difficult to Bring Down the Internet)

You may have heard of the 13 root servers: are they who run the DNS, the magic system that turns our site in 104.27.137.192 for you do not need to memorize the IPs of your favorite sites. By the same token, they are essential to the functioning of the internet. And with such importance, of course, are also constant targets of attacks to try to knock them down.

 

One of the largest attacks ever suffered by the root servers took place in the early morning hours of November 30 and December 1.The situation was so unusual ( this is the third time in history that something of this magnitude occurs) that operators published areport to describe the incident.

According to operators, more than 5 million requests per second per server root. Doing the math, if we consider that the attack lasted more than 4 hours, the volume may have reached 1 trillion (!) Malicious requests. This chart  shows the absurd amount of requests received in the days of the attack only one of the 13 Servers- root, a.root-servers.org (198.41.0.4), operated by VeriSign:

Three servers did not hold huge traffic and arrived off the air for a few hours. But if they were attacked with such a large amount of requests and are that important, why you felt no relevant difference in browsing speed on the Internet? Let’s demystify some things.

First, not all requests need to go by the root servers (in fact, most do not pass). With tamanhão the internet, it would be impractical and risky to hold through a giant and so important table in some very few servers. That’s why you probably use the DNS Google, OpenDNS or your ISP to resolve the fields: they keep a cache of information and communicate with each other to update the base with new domains and changing servers.

So even in the apocalyptic scenario where all 13 root servers are attacked and out of air, you can still access the internet for a long time, since the DNS server you use will still work.

Moreover, not everyone knows that the 13 root servers are not exactly … 13 root servers. As well? The l.root-servers.org, for example, is known as 199.7.83.42 operated by ICANN and is originally in the United States. But he has several mirrors spread throughout the world: there are even some in Brasilia, Florianopolis, Belo Horizonte, Porto Alegre and Sao Paulo.

These are the “13” root servers (the numbers on the balls represent the number of instances in each region, within Brazil are 27):

That is, if someone wants to bring down a single server root, need to attack dozens or hundreds of machines around the world, which now greatly increases the reliability of the service.

And the anycast, routing method used by most of the root servers, can also be effective to mitigate attacks. When you access the 199.7.83.42, an American IP actually is connecting to any of the 157 machines l.root-servers.org (usually the one closest to you). That’s why, if you measure the latency to the 199.7.83.42 probably will have a very low ping, and not more than 100 milliseconds commonly spending to reach the United States.

This creates another problem: how hackers have no control over which machine will access a simple attack starting from only one computer would not even tickle, since at worst only bring down the instance of the nearest root server. If there is a distributed denial of service attack and all instances of America and l.root-servers.org Europe are torn down, all right: the 199.7.83.42 will respond to … Yemen. Or Pakistan. Or Tanzania. Or that place in the middle of the Pacific Ocean on the map above.

And if all 157 l.root-servers.org machines are torn down? Well, then the l.root-servers.org would be off the air, but you have other “12” root servers to use normally.

And if all root servers are torn down? In this case, I believe would happen if it rained Dramamine and Polaramine to all professional security IT sleep and only computer-zombies were running the world, Google ‘s DNS servers from OpenDNS and thousands of companies continue in the air perhaps with some slow, perhaps with some outdated IPs.

They just do not have anyone to access them.