Tuesday was a bit of a quiet day for Deploy360, although it’s worth picking out a couple of presentations. Ricardo Schmidt (University of Twente) provided some observations and lessons learned from the attack on the DNS Root in November last year.
Distributed Denial-of-Service (DDoS) attacks have been getting bigger and more frequent in the past few years, but the attack on the 30 November 2016 saw the DNS root hit with an extra 5 million queries per second that generated traffic loads of up to 35+ Gb/s. The B, C, G and H root servers were most affected, the E, F, I, J and K root servers less so, with the D, L and M root servers not seeing any attack traffic at all. However, even the root servers that weren’t directly attacked felt the impact, as the other servers became less responsive and queries started to be re-directed.
Nevertheless, the root DNS handled the situation well due to its distributed nature and built-in redundancy, and at no time was the service completely unreachable. The lessons to be learned though, is that very large DDoS attacks are now possible and this needs to be taken into account when designing distributed systems and countermeasures. It is unclear who was behind the attack or what the motivations were, but it was clearly intended to take down critical infrastructure and should be considered a wake-up call as to the possibilities in the future.
Another interesting talk was given by Annie Edmundson (Princeton University) on transnational routing detours through surveillance states. This was a study on which countries were being traversed by Internet paths to reach popular destinations, where local traffic left a country, and whether end users could avoid certain countries known to practice surveillance. Traffic to the Alexa Top 100 domains from Brazil was analysed, which revealed that nearly 80% was destined for the United States, whilst nearly 85% of the rest of the traffic traversed the United States. However, by establishing relays in particular countries, it was possible to tunnel traffic to avoid specific countries most of the time, the exception being the United States that was difficult to avoid due to the number of sites hosted there.
Future work will be looking at whether there are significant differences between IPv4 and IPv6, as well as the relationship between IXPs and through which countries traffic is routed.
Finally, although not something we normally cover in Deploy360, we should highlight the presentation from Elise Gerich (ICANN) on the IANA Services. As part of the recent IANA stewardship transition, ICANN has recently established an affiliate non-profit public benefit corporation called Public Technical Identifiers (PTI) to perform the IANA services, and Elise provided some details about this.
The more interesting aspect though, is that IANA recently allocated an additional /18 from the recovered pool of IPv4 to each of the Regional Internet Registries, with further allocations scheduled every six months until March 2019. However, if no more blocks were returned, this would be last allocation of IPv4 addresses, so the message once again is that network operators need to have plans to deploy IPv6 before then.
For those of you who cannot attend the RIPE meeting in person, just a reminder that remote participation is available with audio and video streaming and also a jabber chat room.
The full programme can be found at https://ripe73.ripe.net/programme/meeting-plan/