someone wrote me privately and asked:
Hi, Paul - Some of the articles on the 1434 worm talk about
5 or more root nameservers being down.
a lot of people are pretty confused about the data they have available;
sometimes it's because they have the wrong data, and sometimes it's
because they don't know how to interpret it properly.
Do you know if this was just sheer volume, ...
all of the root name servers i monitor (which is, well, i guess, all of
them) looked like they were "up" the whole time of the ms-sql flash worm.
latency and jitter were a bit wider than normal, but there was no packet
loss at all. (note: icmp is a poor test; some roots won't answer "ping".)
looking at rob thomas's graphs tends to confirm that this was generally
true for most people who monitor the roots, no matter what their point of
"view".
in the f-root case, our traffic volume went DOWN by a little bit during the
ms-sql flashworm, which corresponded to a number of bgp session resets from
our peers. my assumption so far is that a lot of the normal root service
traffic bound for "f-root" didn't get here due to OPN (which is "other
people's networks" -- the bane of all reliability goals and programmes.)
... or were some of the routers providing connectivity to them
actually allowing in UDP 1434?I'd expect that, given the variety of different attacks on them,
at least most of them would block anything except DNS requests
except from approved locations, and preferably do so at the ISP routers
instead of whatever access lines they're on....
at f-root we don't generate "icmp port unreachable" when non-53 udp is
heard -- it's a difference between "deny" and "reject" in freebsd's ipfw
and ip6fw subsystems. (most of the f-root hosts are now better able to
drop this traffic than their upstream routers are, due to hardware ages.)
i'd like to know who it is that couldn't reach 5 of the 13 servers, so if
anyone on nanog@ has heard that, please tell me what you heard and who you
heard it from so i can get to the bottom of it.