Recent analysis of DNS data revealed some interesting pictures. Drilling down into detailed data for a single resolver showed one of the DDoS attacks that occur every day. In this case a small domain, 888fy.com, representing a gaming site in China (a common category of targets) was attacked. The graph below shows 2 different attacks, each lasting several hours.
Since Vantio servers can store every query the Nominum Research team thought it would be interesting to turn up the resolution and look closely at how the attack ramped up. First they looked at incoming queries where the data showed the attack started very quickly, almost instantly, and then remained fairly consistent for the duration of the attack as shown in the graph below. This was not shown in the graph above – it appears as though the attack ramped up slowly over the course of an hour.
Then they looked at the answer data (responses to the attack queries). This showed the authoritative server slowly failing under the load. The graph shows rapid methodical degradation of the service!
In this case the resolver was not (yet) configured for ingress filtering. See blog post: New Best Practice: Ingress Filtering to Deter DNS DDoS) for a discussion of the effectiveness of ingress filtering, implemented with Vantio Precision Policies and the Global Intelligence Xchange in deterring these attacks. This resolver is now protected! Better still, ingress filtering ensure authoritative servers being attacked are protected too. Good for the provider. Good for the content provider. Good for the Internet.