ISC Bulletin #1

Sue Graves Sue_Graves at
Wed Feb 14 03:49:41 UTC 2007

This communication is intended for anyone interested in more information
on the DDoS attack of last week.

As you are probably aware, there was an attack on several of the root
nameservers early Tuesday morning of last week.  ISC operates (F-root), one of the 13 root nameservers that was
targeted.  The attack was a 'distributed denial of service' (DDoS)
attack, in which attackers tried to disable root DNS service by
overwhelming the network paths to the root servers with malicious
packets meant to pass as legitimate DNS traffic.  Overall, root name
service as provided by F-root was not compromised. The distributed
F-root architecture includes a mix of global and local anycast nodes.
The global nodes and the local Asian nodes showed some degradation
during the first two hours, but others were unaffected. David Knight, of
ISC's Operations group, made a brief presentation at the North American
Network Operators' Group (NANOG) conference the next morning. The
slides, which include some technical detail on the attack, can be found

ISC began using anycast in a single location in 1998.  Wider deployment
began in Madrid in 2002.  We're pleased to report that anycast worked
just as expected.  Anycast deployment helped counter this attack by
fragmenting it into smaller pieces that were easier to deal with, as
well as isolating the effects into the area of greatest concentration of
sources of the attack. This left other regions far from the sources with
a completely unaltered service. Overall, the increase in aggregated
network bandwidth, CPU power and service capacity helped make this
attack non-disruptive for the Internet at large.

As a customer of ISC, you are well aware of our software development
skills, however, you may not be aware of our additional expertise in DNS
operations. The F-root nameservers answer over 15,000 queries per second
globally.  F is deployed at 40 sites in 32 different countries.  Anycast
makes sense for us, it might make sense for you.  You can learn more
about F-root at:  Specifics about
anycast can be found at:

You may not be aware that we offer secondary hosting on a best-effort
basis at no charge to many xxTLD's, ISC customers and non-profits.  If
you're interested in learning more about whether anycast would be of
benefit in your network, or in our secondary hosting, please contact us
at info at

If you'd like to learn more about DNS issues on a global
scale, you should consider OARC (  ISC's OARC
(Operational Analysis and Research Center) played a key supportive role
during the attack. OARC facilitated a coordinated response via secure
real-time communications between root and top-level domain server
operators and other OARC members.

Post-attack, OARC is using its infrastructure and working with members
to gain understanding of the attack's source and impact. This includes
uploading data using OARC's DSC and PCAP tools from affected server
operators to our NSF-funded 4TB data repository. From there it is
available for analysis by members and the research community, to gain
further understanding of the causes and how to prevent future such attacks.

OARC membership and resources are open to all large-scale DNS operators,
implementers, active researchers and law enforcement agencies. OARC also
provides a number of tools and mailing lists open to DNS operators of
all types. Please contact OARC Programme Manager Keith Mitchell
<admin at> for more information.

Susan Graves
ISC Client Services Manager
650-423-1323 office
susan_graves at

More information about the bind-announce mailing list