curious DNS outage on March 8th ?
Carter Bullard
carter at qosient.com
Wed Mar 28 09:47:22 EDT 2012
Gentle people,
In anticipation of Anonymous crushing the internet, I've been sniffing around my archives
looking for evidence of Anonymous practice runs, and did see a significant DNS perturbation
on March 8th here in NYC. Did anyone capture a curious DNS outage at your site
around 2012/03/08.22:35:00 - 2012/03/08.23:45:00 EST?
I experienced a number of North American DNS servers "going away", where they
just stopped responding, but no other traffic seems to have been affected. Need some
additional verification before I will move past the hypothesis stage. Would be interesting
to know if anyone else saw a sudden loss of responsiveness from exterior DNS servers in
this time period.
I noticed that google.com was hammered pretty good, so focusing on google.com
DNS resolution maybe informational. If you are capturing user data, so that you can
grep for specific DNS queries, try this query (all times here are EST5EDT4):
ra -t 2012/03/08.22:35-2012/03/08.23:45 -R 2012/03/08 -e google.com - udp and port domain
If you were affected, you would see a significant number of DNS queries that had no
responses (dst pkts eq 0). A more scientific report can be generated using rahisto.1.
You can calculate the frequency distribution of transaction times for all DNS going
to google.com's CIDR block:
rahisto -H dur 20:0-0.1 -r 03/08 03/09 - udp and port domain and net 216.239.0.0/18
Here are my results for the entire day of 03/07:
rahisto -H dur 20:0-0.1 -r 2012/03/07 - udp and port domain and net 216.239.0.0/18
N = 492 mean = 0.029719 stddev = 0.014173 max = 0.096320 min = 0.000000
median = 0.028108 95% = 0.053595
mode = 0.000000
Class Interval Freq Rel.Freq Cum.Freq
1 0.000000e+00 7 1.4228% 1.4228%
2 5.000000e-03 0 0.0000% 1.4228%
3 1.000000e-02 71 14.4309% 15.8537%
4 1.500000e-02 76 15.4472% 31.3008%
5 2.000000e-02 21 4.2683% 35.5691%
6 2.500000e-02 87 17.6829% 53.2520%
7 3.000000e-02 117 23.7805% 77.0325%
8 3.500000e-02 18 3.6585% 80.6911%
9 4.000000e-02 5 1.0163% 81.7073%
10 4.500000e-02 0 0.0000% 81.7073%
11 5.000000e-02 74 15.0407% 96.7480%
12 5.500000e-02 8 1.6260% 98.3740%
13 6.000000e-02 2 0.4065% 98.7805%
14 6.500000e-02 2 0.4065% 99.1870%
15 7.000000e-02 2 0.4065% 99.5935%
16 7.500000e-02 1 0.2033% 99.7967%
17 8.000000e-02 0 0.0000% 99.7967%
18 8.500000e-02 0 0.0000% 99.7967%
19 9.000000e-02 0 0.0000% 99.7967%
20 9.500000e-02 1 0.2033% 100.0000%
Here are my results for the entire day of 03/08:
rahisto -H dur 20:0-0.1 -R 2012/03/08 - udp and port domain and net 216.239.0.0/18
N = 1046 mean = 0.021668 stddev = 0.019670 max = 0.092698 min = 0.000000
median = 0.018990 95% = 0.053714
mode = 0.000000
Class Interval Freq Rel.Freq Cum.Freq
1 0.000000e+00 355 33.9388% 33.9388%
2 5.000000e-03 0 0.0000% 33.9388%
3 1.000000e-02 68 6.5010% 40.4398%
4 1.500000e-02 103 9.8470% 50.2868%
5 2.000000e-02 23 2.1989% 52.4857%
6 2.500000e-02 104 9.9426% 62.4283%
7 3.000000e-02 199 19.0249% 81.4532%
8 3.500000e-02 22 2.1033% 83.5564%
9 4.000000e-02 7 0.6692% 84.2256%
10 4.500000e-02 9 0.8604% 85.0860%
11 5.000000e-02 123 11.7591% 96.8451%
12 5.500000e-02 10 0.9560% 97.8011%
13 6.000000e-02 7 0.6692% 98.4704%
14 6.500000e-02 2 0.1912% 98.6616%
15 7.000000e-02 3 0.2868% 98.9484%
16 7.500000e-02 4 0.3824% 99.3308%
17 8.000000e-02 5 0.4780% 99.8088%
18 8.500000e-02 0 0.0000% 99.8088%
19 9.000000e-02 2 0.1912% 100.0000%
20 9.500000e-02 0 0.0000% 100.0000%
From a daily report, you see on the 8th a shift of 1.4% failed transactions to 33.9%.
The incident lasted about an hour, and here is my rahisto.1 run during the event. 99.7% failure.
rahisto -H dur 20:0-0.1 -r 2012/03/08 -t 2012/03/08.22:35-2012/03/08.23:45 - \
udp and port domain and net 216.239.0.0/18
N = 335 mean = 0.000245 stddev = 0.004471 max = 0.081955 min = 0.000000
median = 0.000000 95% = 0.000000
mode = 0.000000
Class Interval Freq Rel.Freq Cum.Freq
1 0.000000e+00 334 99.7015% 99.7015%
2 5.000000e-03 0 0.0000% 99.7015%
3 1.000000e-02 0 0.0000% 99.7015%
4 1.500000e-02 0 0.0000% 99.7015%
5 2.000000e-02 0 0.0000% 99.7015%
6 2.500000e-02 0 0.0000% 99.7015%
7 3.000000e-02 0 0.0000% 99.7015%
8 3.500000e-02 0 0.0000% 99.7015%
9 4.000000e-02 0 0.0000% 99.7015%
10 4.500000e-02 0 0.0000% 99.7015%
11 5.000000e-02 0 0.0000% 99.7015%
12 5.500000e-02 0 0.0000% 99.7015%
13 6.000000e-02 0 0.0000% 99.7015%
14 6.500000e-02 0 0.0000% 99.7015%
15 7.000000e-02 0 0.0000% 99.7015%
16 7.500000e-02 0 0.0000% 99.7015%
17 8.000000e-02 1 0.2985% 100.0000%
18 8.500000e-02 0 0.0000% 100.0000%
19 9.000000e-02 0 0.0000% 100.0000%
20 9.500000e-02 0 0.0000% 100.0000%
What I saw was most of my external DNS servers went away for about an hour. Most everything
else worked fine, such as existing long lived flows, were unaffected. But web pages that were
dependent on DNS resolution to complete were stalled.
Hope all is most excellent,
Carter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120328/578fbd04/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4367 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20120328/578fbd04/attachment.bin>
More information about the argus
mailing list