The contents of this legacy page are no longer maintained nor supported, and are made available only for historical purposes.

Nameserver DoS Attack October 2002

In January 2002, CAIDA began monitoring performance of the DNS root and gTLD nameservers from the vantage point of two NeTraMet monitors located in San Diego and San Jose. In the aftermath of the unusual denial of service (DoS) attack on the root nameservers reported by the Associated Press on October 23, CAIDA looked at its DNS performance data to provide some context and seek better understanding.

CAIDA's DNS Performance Monitoring Data

Since January 2002, CAIDA has been monitoring performance of the DNS root and gTLD nameservers using NeTraMet passive monitors located at UCSD and in San Jose. We looked at the round trip time (RTT) and DNS request count (counts) observed at the UCSD NeTraMet monitor from October 5 through October 25. During this approximately three week period, the overall character of the root RTTs changed noticeably. Previously, with the exception of G root, RTT plots were fairly flat, with occasional short steps and/or spikes indicating slower performance. From our vantage point in San Diego, G root's performance typically varies.

Observations: 5 Oct through 25 Oct, 2002

From our UCSD monitor point, the first sign of unusual behavior occurs late on 7 Oct. Performance degrades for about one hour on all roots except A, C, G, and J. On that date there is no corresponding event on the gTLDs. A fairly periodic spike seen only on the C gTLD name server beginning late 7 Oct and continuing until late 11 Oct is probably a server overload problem.

We next observed degradations in root RTTs on Saturday 12 Oct, Monday 14 Oct and Tuesday 15 Oct. RTTs rise from their individual baselines seen earlier during the previous week to significantly longer RTTs over a period of about 6 hours, then fall back to previous baselines readings in about another 3 hours. Similar performance changes are visible on all the root nameservers, though to a lesser degree on B and L roots.

From our vantage point at UCSD, on Monday 21 Oct all root nameservers except I and M experienced degradations in performance around 2200 UTC. Within a 5 minute interval, RTTs jump from their individual normal baselines to noticeably higher levels, staying high for about an hour on F, G, and L roots, for about 5-10 minutes on B and A roots, and for a little longer than 10 minutes on J root. The gTLDs show a similar performance hit around 0100 UTC on Tuesday October 22. The attack on 15 Oct was visible on all the roots. On 21 Oct, however, no changes are seen on I and M from our UCSD monitor.

While the earlier perturbations are different from the events occurring on 21 and 22 Oct, one might speculate that the earlier degradations are consistent with behavior of someone who was testing the attack. The first sharp change on 7 Oct may have been a test of the attack, which was further developed over the next 10 days or so.

Scope and Impact of the Attack

It is worth noting that DoS attacks are an ongoing fact of life for the root nameservers as well as the rest of the Internet structure. [4] This particular Dos attack was significant enough to get media attention. Even so, the user-visible impact on global network operation was slight. (If others have data that implies differently, please let us know at

Performance Graphs

Week 1Week 2 Week 3
root nameserver RTTs from 5 Oct - 25 Oct 2002 (UTC time scale)
root nameserver request counts from 5 Oct -25 Oct 2002 (UTC time scale)
gTLD nameserver RTTs from 5 Oct -25 Oct 2002 (UTC time scale)
gTLD nameserver request counts from 5 Oct - 25 Oct 2002 (UTC time scale)

For More Information on DNS Performance Monitoring and DoS Attacks

  1. P. Vixie (ISC), G. Sneeringer (UMD), and M. Schleifer (Cogent). Events of 21-Oct-2002. November 24, 2002.
  2. D. Wessels. dnstop: a tool for detecting and filtering DNS query errors. or
  3. Plots of DNS root server and gTLD performance since January 2001 are available at
  4. Analysis of the DNS root and gTLD nameserver system: status and progress report:
  5. Related papers:
  6. D. Moore, G. Voelker, and S. Savage. "Inferring Internet Denial-of-Service Activity" in Usenix Security Symposium, Washington, D.C., Aug 2001.
Last Modified