Verisign’s Perspective on Recent Root Server Attacks
▻http://www.circleid.com/posts/20151215_verisign_perspective_on_recent_root_server_attacks
Sometimes, the DNS root name servers receive attack traffic where the intent seems to be clear. By examining the traffic, and perhaps with other supporting information, it may be easy to discern whether the intended victim is a third party, or perhaps the root server system itself. At other times, however, the intent is less obvious.
The events of Nov. 30 and Dec. 1, 2015, are one of those cases where the intent as observable on the root server operations side of the system is unclear. While a number of DNS root name servers did receive high levels of traffic, it is unclear whether the intent was to harm the root server system itself.
[...]
In addition to anycasting and an array of DNS transaction processing capabilities, Verisign and the other DNS root server operators have a number of techniques for identifying anomalous system loads and then classifying and mitigating malicious activity, as appropriate.
• blocking bogons
• source address filtering, (#BCP38)
although not usable at the root server system itself in this case due to the obvious presence of source address spoofing employed by the attacker source networks
• response rate limiting (RRL)
In this very interesting video is shown graphically, using Hilbert space-filling curve[1] representations that the spoofed source addresses are being generated more or less sequentially, and you can obtain an idea of how the attack operated in two fronts, as monitored on Verisign’s A-Root.
▻https://www.youtube.com/watch?v=f8J52JhukLo
_
[1] a space-filling curve, mapping 1D into 2D while preserving locality, ie. points near each other in terms of distance along the curve will also be near each other on the 2D plane ▻http://datagenetics.com/blog/march22013/index.html