‹ Back
Deploy360 26 October 2016

RIPE 73 – Highlights from Day 2

Kevin Meynell
By Kevin MeynellSenior Manager, Technical and Operational Engagement

RIPE 73 bannerThe RIPE 73 meeting is happening this week in Madrid, Spain, and we’re highlighting the presentations and activities related to the Deploy360 technologies throughout the week.

Tuesday was a bit of a quiet day for Deploy360, although it’s worth picking out a couple of presentations. Ricardo Schmidt (University of Twente) provided some observations and lessons learned from the attack on the DNS Root in November last year.

Distributed Denial-of-Service (DDoS) attacks have been getting bigger and more frequent in the past few years, but the attack on the 30 November 2016 saw the DNS root hit with an extra 5 million queries per second that generated traffic loads of up to 35+ Gb/s. The B, C, G and H root servers were most affected, the E, F, I, J and K root servers less so, with the D, L and M root servers not seeing any attack traffic at all. However, even the root servers that weren’t directly attacked felt the impact, as the other servers became less responsive and queries started to be re-directed.

Nevertheless, the root DNS handled the situation well due to its distributed nature and built-in redundancy, and at no time was the service completely unreachable. The lessons to be learned though, is that very large DDoS attacks are now possible and this needs to be taken into account when designing distributed systems and countermeasures. It is unclear who was behind the attack or what the motivations were, but it was clearly intended to take down critical infrastructure and should be considered a wake-up call as to the possibilities in the future.

Another interesting talk was given by Annie Edmundson (Princeton University) on transnational routing detours through surveillance states. This was a study on which countries were being traversed by Internet paths to reach popular destinations, where local traffic left a country, and whether end users could avoid certain countries known to practice surveillance. Traffic to the Alexa Top 100 domains from Brazil was analysed, which revealed that nearly 80% was destined for the United States, whilst nearly 85% of the rest of the traffic traversed the United States. However, by establishing relays in particular countries, it was possible to tunnel traffic to avoid specific countries most of the time, the exception being the United States that was difficult to avoid due to the number of sites hosted there.

Future work will be looking at whether there are significant differences between IPv4 and IPv6, as well as the relationship between IXPs and through which countries traffic is routed.

Finally, although not something we normally cover in Deploy360, we should highlight the presentation from Elise Gerich (ICANN) on the IANA Services. As part of the recent IANA stewardship transition, ICANN has recently established an affiliate non-profit public benefit corporation called Public Technical Identifiers (PTI) to perform the IANA services, and Elise provided some details about this.

The more interesting aspect though, is that IANA recently allocated an additional /18 from the recovered pool of IPv4 to each of the Regional Internet Registries, with further allocations scheduled every six months until March 2019. However, if no more blocks were returned, this would be last allocation of IPv4 addresses, so the message once again is that network operators need to have plans to deploy IPv6 before then.

For those of you who cannot attend the RIPE meeting in person, just a reminder that remote participation is available with audio and video streaming and also a jabber chat room.

The full programme can be found at https://ripe73.ripe.net/programme/meeting-plan/

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...

Join the conversation with Internet Society members around the world