[dns-operations] [dDoS] Good discussion on the Rackspace attack and DNS resiliency

Jeroen Massar jeroen at massar.ch
Fri Jan 2 01:17:47 UTC 2015 

On 2014-12-31 16:09, David C Lawrence wrote:
> Jeroen Massar writes:
>> A host of mine is receiving a lot of requests towards
>> applicast.ga.sony.net, eg, every minute when that TV Is on:
> ...
>> and so on and on.... are these not because of stale DNS data?
> 
> I honestly don't know, but it seems unlikely.  I'll not claim its
> impossible though.  Or, more aptly, it seems obvious that SOMEONE has
> stale data somewhere, but it is unlikely that it is our resolvers with
> the serve-stale feature.

Someone is the right word. Hard to determine where that is though and
why it is happening at multiple distinct sources.

> Knowing the feature intimately, I can tell you a couple of other things:
> 
> * The name applicast.ga.sony.net is resolving just fine, so even if it
>   were slow to resolve the caches would get the current authoritative
>   value and use that going forward.
> 
> * The length of time for which the resolver will continue to use stale
>   data is itself capped.  It is the "canary in the coal mine" --
>   monitored to warn of a DNS problem before it really blows up.  If
>   the problem can't be fixed within a reasonable amount of time, then
>   the stale entry is purged anyway and things start really failing.
> 
> You didn't say how long that particular example has been an issue, but
> it sounds like you've been seeing it for longer than the hard cap.

4 months and more at least.

> Also, the one IP address you showed that is doing it is not an Akamai
> host.  We don't currently run a customer-facing resolver service so
> our serve-stale feature for internal operations would not present
> stale DNS data to an external client.

Make sense.

> I'll try to have someone look into what's going on, but it'll be slow
> at this particular time of year.  The best people for it might well be
> on winter holiday.  Right now I'm more suspicious that someone
> embedded IP addresses somewhere, not that stale DNS data is being
> used.

A colleague of you contacted me, I am providing him with more details so
he can dig into it.

Greets,
 Jeroen

More information about the dns-operations mailing list