DNS Servers under Attack

This is not a Conficker related blog post. There is a bigger story on the radar from last week. Major web service providers have been intermittently off line with what seems to be major Distributed Denial-of-Service (DDoS) attacks against DNS providers.

An attack against DNS provider NeuStar on Tuesday morning disrupted Amazon’s S3 cloud computing service, along with the Amazon.com store. Other sites affected included Salesforce.com, IMDB.com and Petco.com. In the NeuStar attack, John Schneidawind, a company spokesman, initially denied that its service was shut down. “Contrary to previous press reports you may have seen, at no time was our UltraDNS service shut down, offline or anything of the sort,” he told SCMagazineUS.com in an email. The UltraDNS service was “hit by a huge volume of completely legitimate-looking DNS queries, which all appeared to come from legitimate DNS servers, all asking for data on the true attack targets,” wrote Tier1 Research Vice President Dan Golding in a report. “NeuStar couldn’t block the apparent source without causing an entirely different sort of outage.” UltraDNS was returned to normal service after only a few hours, but the outage made some websites impossible to reach. NeuStar later confirmed the DoS attacks as massive, according to reports.

On Wednesday, Register.com was the next DNS provider to get hit. On Wednesday night and again Thursday afternoon, Register.com, was out of service for several hours because of a suspected DDoS attack. Web sites and domains hosted by Register.com did not resolve and the company’s home page was unavailable. Many customers’ websites disappeared.

During the Register.com outage, the company provided little information to its customers, other than a notice on Twitter that said: “Register.com is having intermittent service issues — we have everyone working on it. Will provide an update soon.” As of Thursday, Register.com support staff is now actively telling customer’s over-the-phone that the company’s servers are definitely currently under fire from some form of DDOS.

From the sounds being heard from disgruntled customers, Register.com is poised to lose a lot of business from this fiasco. Check out some of the tweeks:


 

To keep an eye on this situation, check out the SANS Internet Storm Center for additional information and updates:

http://isc.sans.org/diary.html?storyid=6121