someone wrote me privately and asked:
Hi, Paul - Some of the articles on the 1434 worm talk about 5 or more root nameservers being down.
a lot of people are pretty confused about the data they have available; sometimes it's because they have the wrong data, and sometimes it's because they don't know how to interpret it properly.
Do you know if this was just sheer volume, ...
all of the root name servers i monitor (which is, well, i guess, all of them) looked like they were "up" the whole time of the ms-sql flash worm. latency and jitter were a bit wider than normal, but there was no packet loss at all. (note: icmp is a poor test; some roots won't answer "ping".) looking at rob thomas's graphs tends to confirm that this was generally true for most people who monitor the roots, no matter what their point of "view". in the f-root case, our traffic volume went DOWN by a little bit during the ms-sql flashworm, which corresponded to a number of bgp session resets from our peers. my assumption so far is that a lot of the normal root service traffic bound for "f-root" didn't get here due to OPN (which is "other people's networks" -- the bane of all reliability goals and programmes.)
... or were some of the routers providing connectivity to them actually allowing in UDP 1434?
I'd expect that, given the variety of different attacks on them, at least most of them would block anything except DNS requests except from approved locations, and preferably do so at the ISP routers instead of whatever access lines they're on....
at f-root we don't generate "icmp port unreachable" when non-53 udp is heard -- it's a difference between "deny" and "reject" in freebsd's ipfw and ip6fw subsystems. (most of the f-root hosts are now better able to drop this traffic than their upstream routers are, due to hardware ages.) i'd like to know who it is that couldn't reach 5 of the 13 servers, so if anyone on nanog@ has heard that, please tell me what you heard and who you heard it from so i can get to the bottom of it.