<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>Hi Andrew,</div><div><br></div><div>Actually most resolver code-bases don't behave like that; timeouts and SERVFAIL responses cause the authority servers to be penalised (by address, usually) and resolvers exercise something resembling an exponential backoff. </div><div><br></div><div>The default configuration of some resolvers (some releases/packages of unbound provide good examples) is such that intermittent failures reaching particular servers can cause prolonged failures to resolve even while the servers are actually reachable; the resolvers just don't try. People often tune such resolvers to be more permissive of observed failures from authority servers but the result is usually still far from what you seem to be describing. </div><div><br></div><div>The ecosystem of devices that send queries to authority servers is diverse and has a long tail, and I'm not suggesting that back-off behaviour above is universal. The significant query sources we see do back off from the conditions you described, though; they do not aggressively retry. I would expect aggregate flow stats through connecting networks to reflect the majority behaviour, not the outliers. </div><div><br></div><div><br></div><div>Joe</div><div><br>On Oct 24, 2016, at 15:34, Andrew Smith <<a href="mailto:andrew.william.smith@gmail.com">andrew.william.smith@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">I'd caution against assuming that a significant spike in requests per second to affected Dyn servers was definitely part of the attack. As long as resolvers were receiving SERVFAILs and timeouts, they'll be generating an abnormally large amount of retries.<div><br></div><div>Andrew</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 24, 2016 at 12:04 PM, Outages <span dir="ltr"><<a href="mailto:virendra.rode@outages.org" target="_blank">virendra.rode@outages.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>See if this helps,</div><div id="m_-4225744770285174047AppleMailSignature"><br></div><div id="m_-4225744770285174047AppleMailSignature"><a href="https://labs.ripe.net/Members/massimo_candela/a-quick-look-at-the-attack-on-dyn" target="_blank">https://labs.ripe.net/Members/<wbr>massimo_candela/a-quick-look-<wbr>at-the-attack-on-dyn</a><br><br>--<div>regards,</div><div>/vrode </div></div><div><br>On Oct 22, 2016, at 6:48 PM, Charles Sprickman <<a href="mailto:spork@bway.net" target="_blank">spork@bway.net</a>> wrote:<br><br></div><blockquote type="cite"><div><span>I wanted to poke through our netflow data from Friday to see if any customers were involved.  Do we have any idea which Dyn IPs were being hit in the east coast attack?</span><br><span></span><br><span>I’ve been poking around with sorting by packet count to UDP 53, but I’m not even sure this was an application level or volumetric attack.   Nothing is standing out (yet)…</span><br><span></span><br><span>Thanks,</span><br><span></span><br><span>Charles</span><span class="HOEnZb"><font color="#888888"><br><span>-- </span><br><span>Charles Sprickman</span><br><span>NetEng/SysAdmin</span><br><span><a href="http://Bway.net" target="_blank">Bway.net</a> - New York's Best Internet <a href="http://www.bway.net" target="_blank">www.bway.net</a></span><br><span><a href="mailto:spork@bway.net" target="_blank">spork@bway.net</a> - <a href="tel:212.982.9800" value="+12129829800" target="_blank">212.982.9800</a></span><br><span></span><br><span></span><br><span></span><br><span>______________________________<wbr>_________________</span><br><span>Outages-discussion mailing list</span><br><span><a href="mailto:Outages-discussion@outages.org" target="_blank">Outages-discussion@outages.org</a></span><br><span><a href="https://puck.nether.net/mailman/listinfo/outages-discussion" target="_blank">https://puck.nether.net/<wbr>mailman/listinfo/outages-<wbr>discussion</a></span><br></font></span></div></blockquote></div><br>______________________________<wbr>_________________<br>
Outages-discussion mailing list<br>
<a href="mailto:Outages-discussion@outages.org">Outages-discussion@outages.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/outages-discussion" rel="noreferrer" target="_blank">https://puck.nether.net/<wbr>mailman/listinfo/outages-<wbr>discussion</a><br>
<br></blockquote></div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Outages-discussion mailing list</span><br><span><a href="mailto:Outages-discussion@outages.org">Outages-discussion@outages.org</a></span><br><span><a href="https://puck.nether.net/mailman/listinfo/outages-discussion">https://puck.nether.net/mailman/listinfo/outages-discussion</a></span><br></div></blockquote></body></html>