ICANN SSAC Advisory SAC008: DNS Distributed Denial of Service (DDoS) Attacks

In early February 2006, name servers hosting top level domain zones were the repeated recipients of extraordinary heavy traffic loads. Analysis of traffic by TLD name server operators and security experts at large confirmed that DNS packets comprising the attack traffic exhibited characteristics associated with previously attempted DDoS attacks collectively known as amplification attacks.

This advisory describes representative incidents, identifies the impacts, and recommends countermeasures that TLD name server operators can employ for immediate and long- term relief from the harmful effects of these attacks. Certain countermeasures may adversely affect legitimately operated domain name resolvers whose configurations contribute to the success of DDoS attacks; specifically, by operating in the manner they do, some resolvers facilitate DNS amplification attacks. Countermeasure that name server operator might implement to assist in their timely restoration of normal service could also adversely affect name server operators who rely on the service they provide. TLD operators may need to take specific measures to assure they do not worsen the effects of the attacks.

Respected security organizations and advisory groups worldwide encourage name server operators to adopt measures to disable open recursive service and to protect their infrastructures against DDoS attacks. SSAC joins these organizations and makes the following recommendations:

Recommendation (1): For the long term, SSAC recommends that the most effective means of mitigating the effects of this and numerous DoS attacks is to adopt source IP address verification.

Recommendation (2): SSAC specifically recommends that each ROOT and TLD name server operator should:

i. Document operational policies relating to countermeasures it will implement to protect its name server infrastructure against attacks that threaten its ability to offer service, give notice when such measures are implemented, and identify the actions affected parties must take to have the measures terminated.

ii. Respond faithfully and without undue delay to all questions and complaints about unanswered traffic, and

iii. Act with haste to restore service to any blocked IP address if the owner of that IP address can demonstrate that it has secured its infrastructure against the attack.

Recommendation (3): SSAC recommends that name server operators and Internet Service Providers consider the possible remedies described in Section 3 of this Advisory. In particular, SSAC urges name server operators and ISPs to disable open recursion on name servers from external sources and only accept DNS queries from trusted sources to assist in reducing amplification vectors for DNS DDoS attacks.

The full content of the SSAC Advisories quoted here can be found at:

www.icann.org/committees/security/dns-ddos-advisory-31mar06.pdf, and