Suspected botnet tried to break the Internet by attacking root DNS servers

For two and a half hours on November 30 a barrage of requests — five million queries every second — hit most of the Internet’s 13 root DNS servers. Another attack lasted an hour the next day. A sophisticated botnet is the likely source, but no one is sure what motivated the attack.

In any case, safeguards in place meant the Internet did not go down on November 30, or December 1st. Most people didn’t even notice the attack.

“My takeaway is that the event pretty much ‘didn’t happen’ for the ordinary user,” professor Randal Vaughn of Baylor University told Ars Technica. “They either failed to observe it or just didn’t associate any connectivity issues with an ongoing attack.”

Part of the reason for this is the robustness of the root DNS servers: they’re designed to stand up to a lot of traffic, so even attacks like this don’t amount to much. More importantly, most Internet users don’t make requests of the root DNS servers, instead using the DNS servers provided by an ISP or third party services like Google or OpenDNS.

“The DNS root name server system functioned as designed, demonstrating overall robustness in the face of large-scale traffic floods observed at numerous DNS root name servers,” said a report on the attack.

Still, the attack was unique. Geographically scattered computers sent billions of seemingly valid queries for a single domain name, then repeated the process for another domain the next day. The volume of traffic means someone has access to massive amounts of computing power, and even if it wasn’t nearly enough to cause any actual problems, it’s still troubling. The same power, directed at any other target, would’ve been far more successful at achieving its goal.