Three Root Servers Knocked Out By Attacks; Internet Keeps On Ticking

from the is-that-all-you've-got? dept

There’s been some fear in the past about the fact that a key part of keeping the internet running, the core “root servers,” are somewhat vulnerable. There are only 13 root servers, and taking them all out would cause quite a problem. So far, though, attacks have been unable to do so. Nearly five years ago, all 13 were attacked, taking out seven or eight of them for a period of time — though the others picked up the slack and there were no noticeable problems. The latest story is that some sort of attack from hackers took down three of the servers, the biggest attack since the ones in 2002. Some of the attacks went on as long as 12 hours. Again, there was no noticeable impact for most users. However, the question is being raised again about whether using just 13 root servers is really safe. A few years back, there was a suggestion that it might be a lot safer to set up some sort of peer-to-peer system to better distribute the root servers among many more machines. It doesn’t seem like that idea got much traction (and it certainly has its downsides as well), but it will be interesting to see if the latest attacks get people discussing this question once again, and whether or not they have any creative solutions.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Three Root Servers Knocked Out By Attacks; Internet Keeps On Ticking”

Subscribe: RSS Leave a comment
Fergie (user link) says:

There's more than just


There actually is more than 13 root nameservers — in fact there are multiples of 13. I think where people get confused is they read about the “a” root server, the “b” root server, and so on,, through the “m” root server. Well, there are multiples of each of these, geographically placed and multicast synchronized.

More information can be found here:


– ferg

Chris says:

Probably impractical by all means, but consider wh

IF there’s only 13 of these servers (and i imagine they mean warehouses full of equipment) why not dupe them and keep them all on standby? With as much as the human race has made the internet an integral part of their lives, you’d think a surefire backup plan would already be in effect. However, if it’s true they really only need about 5-8 to keep things running smoothly, then maybe they’ve already taken some preemptive measures.

Personally I’d host 1 server as a geuinea pig and let everyone in the world try and bring it down, those who’re successful give them $1,000 to have them show you what flaws have been overlooked. Maybe not something that “simplistc,” but a similar system to stress test the equipment against possible outside attacks would seem to be at the very least a good place to start.

Dosquatch says:

Re: Buzz and Anonynoob

I never knew about these supposed 13 servers. I never knew that the Internet had such a focused core.


Core servers? I just assumed that the internet was made up of interconnected servers (one for each domain).

The words “Client” and “Server” are more like concepts than physical machines. A “client” requests information or services from another machine called a “Server”. A “Server” provides that information or service. Any device connected to the internet can be either, and quite often both. “Peer to Peer” or “P2P” is a situation where a machine is both client and server for the same type of service or information.

That said, there are millions of servers on the internet. There are thousands alone that respond to the address, for instance (making multiple machines answer a single name is called clustering – this will be important later). The servers spoken of here, though, are a special type of server providing a special type of information – Domain Name Resolution.

Computers think in numbers. Each device on the internet has an IP address, often expressed as 4 3-digit numbers seperated by periods ( This represents a 32-bit number providing a little over 4 billion possible addresses. Your computer finds another computer – like TechDirt or Google – by its numerical address.

Domain Name Resolution is sort of like the phone book your computer uses to find the numerical address it should go to when you ask for Google.

Let’s look at how to read a domain name. Every period indicates a new heirarchial level and a new Zone of Authority. Reading the domain name from right to left takes you from the trunk all the way out to your destination. “” is in the top-level domain (or TLD) “com”, in which is the domain “google”, in which is a machine called “www”.

The objective for DNS is to find the authoritative name server for your request. Your web browser sends the request to your ISP’s name servers, which send the request up the tree until they find a server that can say with authority where Google’s nameservers are. NOT where Google’s machine “www” is, but where its nameservers are.

The machines that do this are the TLD name servers, or the root name servers, of which there are 13 clusters, each with hundreds of machines.

If you take out these root servers, you have taken out the top level of authority that directs you to Google’s nameservers. Google’s machines will probably still be running, but if you can’t find them that doesn’t do you a lot of good. The attack was essentially aimed at the trunk of a heirarchial tree. Like any tree, if you do enough damage to the trunk, the whole thing falls over.

This does not make the internet stop working. It will probably make it nearly unusable for common end users, but all of those numeric addresses I talked about before? They’re still there, and they are what really make things talk to each other. If you happen to know Google’s IP address, then you can still use Google, for instance.

So, yeah – that should give you a better idea of what’s going on. Keep in mind that I’ve glossed over some points, ignored others, and possibly blantantly misrepresented one or two, but essentially this is what’s going on.

Ishtar says:

The article is somewhat confusing to people with no DNS knowledge; who apparently assume those 13 nameservers are the entire internet. Assuming a worst case scenario, you could still navigate using IP addresses.

As pointed out before, there are more than 13 root nameservers. The 13 letters exist in different locations in different continents, using unicast for decentralization.

Why was there no noticable difference for most users? DNS requests get cached somewhere along the way and you rarely end up querying the root servers; and many more ‘root’ nameservers can fill up the gap.

Stéphane Bortzmeyer (user link) says:

No mention of anycast

The original article is very bad and displays a lot of ignorance. There are far more than 13 *machines* since they are replicated and reachable by BGP anycast (see RFC 4786) and often, at each site, there are several machines behind a load-balancer.

See for details and the complete list of the sites.

dataGuy says:

So who did this?

My speculation is that this event was a test by the Chinese military. I’m sure they would like to have a firm idea as to the amount of effort it would take to bring down the internet. It isn’t hard to imagine that they would find it useful to be able to remove this form of communication should the “need” arise. Of course the same could be said of the US military…

cjmemay (user link) says:


He said 13 Root Servers. Not 13 DNS servers in the entirety of the internet. I am not saying whether or not there are more (I have no idea), but some people didn’t make the distinction.

And even though very few of the total requests go to the root servers, and as nice as it is to think that the internet would still technically function without any DNS/domains at all, using IP addresses, this is simply not true.

The LARGE majority of internet users have no idea what an IP address is, how to use it, or how to find it. In fact, it has become quite obvious that many people don’t even know what a URL is, or how to use an address bar. As is indicated by people searching for “google” on yahoo. Even homepages are set by domain. So effectively, without DNS, for millions and millions of users, the internet would be broken.

JM3 says:

this is why we have caches and local domain name servers in the first place. other wise the local computer would just contact the root server directly. The local domain name servers store information about domains so the majority of the internet would continue to function for a relativly long time even if all of the root servers were taken out. If you did want to have an quick and effective attack on the internet, attacking the root servers would not be the way to do it.

Dosquatch says:

Re: Re:

The local domain name servers store information about domains so the majority of the internet would continue to function for a relativly long time even if all of the root servers were taken out.

This isn’t quite true either. It is true that your local DNS caches lookups, and will serve from the cache directly if it has an entry. It has to refresh that entry from time to time, though, based on the “time to live” (TTL) dictated by the authoritative server for the query (meaning Google’s, or TechDirt’s, or whatever – not yours). Your server will refresh from its upstream server, which will refresh from its upstream server. Eventually everything leads back to the TLD. If the TLD is gone, the refresh doesn’t happen.

The effects would start showing immediately, and DNS would effectively die somewhere around the median TTL set by servers worldwide. That’d be about 1 to 2 days.

Matt says:

Re: Re: Re: Re:

I would assume that if a catastrophic failure of the root servers were to happen, then the majority of the local DNS servers would continue to serve off of the current database that they have… this would in turn allow users to be directed to any existing DNS entries, but users wouldn’t be able to see any updates until the connection to the root servers is restored.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...