Slashdot Mirror
DDoS on Domain Registrar
miller60 writes "Netcraft is reporting that 'domain registrar Joker.com says its nameservers have been hit with a massive DDoS attack, causing outages for customers. More than 550,000 domains are registered with Joker, meaning the outages could be widely felt. It's not clear why the DDoS is succeeding, as most registrars have implemented sturdy DDoS protection since the attack on the root nameserver system back in 2002.' Some security experts have warned in recent weeks about DNS recursion attacks as previously discussed here on Slashdot, which can amplify the power of attacks launched from botnets."
I've been using Joker for a number of years and had nothing but good service, polite staff and decent prices and then someone goes along and DDOS them. Hope they get back on their feet soon. Then again there is no such thing as bad publicity
SolarVPS - Quality Windows and Linux Virtual Servers
If anything, I'm surprised that more regitstrars aren't being hit by this. Maybe they agreed to pay up instead.
Anyone that has had to deal with DDoS attacks against their networks lately should know that it isn't terribly uncommon to see DDoS attacks that saturate over 1Gbps of bandwidth. With a sizeable botnet, even if the registrar has two gigabit uplinks, it wouldn't be too difficult for an attacker to knock them compleetly offline. Take whatever DDoS prevention methods you want, if your upstream links are saturated... you're boned.
Their website is still functional enough to allow
one to change the DNS servers away from [abc].ns.joker.com
I did this last for my domain.
I think it's time for the sensible businesses to form an alliance to defend themselves from these DDOS attacks. We've got to be able to switch along storage, location, share the load among us. If there was a few dozen or hundred larger sites with huge pipes, then actions like this could be avoided. Virtualization looks like a very good help for this. Send along a vmware image to the emergency network, fire up the systems, vpn to the backend, and you're set. I know I oversimplify this, but I guess something along these lines could work (technically). Of course politics and such come into play, but if major players started to float this idea - again, I think it could work. Any thoughts (or flames)?
3/27/06 07.45 EST. So this is a /. story with less conjecture-based information than usual...&^)
What precisely is disreputable about them?
Their business practices? I have used them for many years and never had a problem. It may well be that some "disreputable" websites have registered their domain names with them - but I guess most registrars have their fair share of such registrants. I am not sure how far I want registrars policing the content of websites...
Can you be a little more precise as to the nature of your objection to them?
Find Japanese addresses in English on Google Maps Japan: http://diddlefinger.com/
just what joker.com needs during a DDos attack, massive publicity from major news sites which will drive more people to the servers.
Can't really say anything about that, but a quick investigation of their DNS shows that it is not geographically distributed (RFC3258). OK, I do not have the tools to do it properly, but it does not look like.
On top of that they do not look like they have their own connectivity to peering points in EU.
So frankly, they look like they are ripe for the picking. It is utterly trivial to run a domain registrar out of several diverse locations using RFC 3258. A registrar that is not doing it is in clear need of a cluebat on the head several times. I hope that this DDOS finally delivers it.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
Maybe you've had a bad experience but I've been using them for years and they are definetely the most reliable (till now) andf efficent registrar I've ever come across. I recommend them and still would.
I saw that CoComment.com was going down - it's a comment tracking service. They explain why on their blog.
I suggest a new .noddos tld and decide those sites shouldn't be DDoS'ed. :-)
Hmm, maybe I'm coming too quickly from that other stupidifying discussion.
Beware: In C++, your friends can see your privates!
Great Scott!
who could have perpetrated this criminal caper on such a classic clown? Could this mean the end of our caped crusader? tune in tomorrow.. same bat-time. same bat-website.
I wonder if batman.com is working on an alibi
even the magic 8 ball has an opinion on email clients: Outlook not so good.
I hope people realise that moving away from joker will result in exactly what the attacker intended: hurt joker.com. My own business is hosted @ joker and I'm feeling the hurt. But Im staying.
Next up: can everbody who gets hurt by this attack band together and start a class action suit against this ddos'er? Yeah, IF he gets caught...
We're the internet here, and if this hacker gets found, make an example of him.. he should be in deep debt for the rest of his life. THAT'll scare these script idiots...
I just hope that these rapscallions are punished properly.
Most of the phishing scams and obscene spam (farm girl on farm animal type of stuff) I get in my inbox and most of the popups I see on the internet are joker registrations. Half the time, these are completely out of the blue - I don't get surprised when I get this stuff jumping random links from altavista, but when I'm cruising gamebanshee, even very mild porn is out of place. And the spam is just inexcuseable. Before anyone suggests the obvious - like a virus or malware for the popups, I get this on FreeBSD and MacOS X, not Windows.
Now, I know very well that not everyone registering at joker is carrying on such questionable or downright unscrupulous behavior (certainly less than 1% I hope), but I don't look up the registrar of every domain I visit, just those ones I have a complaint against - which is probably true for most anyone on the net.
The problem is that Joker usually doesn't appear concerned about the activities it's customers engage in (AUP notwithstanding), so it might be that someone out there saw one too many popup or phishing scam coming out of a Joker domain and got no satisfaction at the abuse desk.
Of course this wouldn't be justification for screwing up everyone else's domain, but it's not outside the realm of possibility.
No.. no, it really didn't.
I would gather the reason you see that is that Joker is the cheapest on the block. Unfortunately I had to move two of my domains this weekend because of this. I just took a site live for my inlaws rental property and couldn't have it down.
What really annoys me is that Joker didn't post anything until two days later. When I COULD get to joker.com, I found nothing at all about the attack. It wasn't until Saturday that I finally got some information. The attack had been going on since Thursday that I know of.
I've had over 20 domains registered with Joker and I've always liked the proccess. Unfortunately, I couldn't afford them to be down.
I'm just curious if the attack was directed at joker or a domain they're the registrar for?
"Fighting the underpants gnomes since 1998!" "Bruce Schneier knows the state of schroedinger's cat"
well this was a great idea...they've been hit by a massive DDoS attack and then we decide to slashdot their main website...not a good day for them.....
shanegrant.com
he probably is already in deep debt, which is probably why he did it.
They're using their grammar skills there.
Perils of Transitive Trust in the Domain Name System.
These researchers found that many/most of nameserver setups were highly vulnerable to DDoS attacks. Yes, the root of the namesystem is protected via anycast, but pick any name and you can launch a targeted DDoS attack pretty easily.
The DDOS attack was actually middle of last week. Joker.com is now operating fine. Timeliness is important when one posts stuff like this, or at least enough editorial sense to edit for the past tense and to check out what is being said.
I've used joker.com for years. It's significantly cheaper than Network Solutions and other US registrars and I've never had a problem.
Three Squirrels
BIND comes out of the box ready to answer requests from anyone, digging the roots itself and caching. Most people don't set it otherwise, and most 'leading' control panels don't advise you to do much of anything about it. However in cases like this, all of the hardening in the world isn't going to help you if the botnet is as big as the one that got Joker.
.. well you're just screwed. Your firewall will either shut out all traffic, or open wide, depending on how its set until the attack subsides.
.. there's very very little that can be done about it given hardware most medium to medium-large companies use. They come on fast and just do not stop.
:) Takes you right to them.
Fortinets, ciscos, Junipers all handle a set number of sessions. Some as low as 1500 - 2000, throw those away when you're talking about a large botnet. Depending on how big the botnet is, and how diverse the attacking blocks are sometimes there is very little to do other than wait it out. Even with higher end Fortinets that support up to 35k sessions, if you have 100k uniques over 30k blocks
DNS records must remain public in order to resolve anything. Sorry folks, but if the network you pissed off is large enough
Some pretty scary chit, especially if you are the one who gets called to deal with it. If you want to yell at someone about it, take your pick from one of the thousands of shared web hosting providers who provide a nice comfy woumb for these networks to grow.
So the next time your host tells you that they've disabled exec(), passthru() and shell_exec() in php for security and restricted access to wget and lynx, go a little easier on them. This is why. They have no control over what their users upload and make available to the world.
Even well hardened servers are easy targets if some jackass uploads phpbb version 1. If any script interpreter can make shell calls, you ought to be checking sockets and connections often.
lsof is your friend, learn how to use it
...in his recent interview, but I don't think he went far enough. He said that DNS is the Achilles' heel of the Web. I believe it's the primary vulnerability of the Internet in general. Virtually all the "who governs the net" garbage would be a non-issue if it wasn't for the name heirarchy.
What we need is an entirely peer to peer adaptation of the Web using DHT as an addressing system, where the hash of the file itself serves as its' address. That would solve (at least) two major problems:-
a) It'd get rid of the abovementioned "Internet governance" BS as mentioned above. I believe we could still have an entirely hyperlinked/relational/semantic Web using a DHT system...it just initially might require some more work. The reason why this would eliminate the TLD issue though is because the naming system itself would become irrelevant. It's worth remembering that DNS was originally developed by scientists/academics. If they'd remained the only people using it, it would have worked acceptably. Unfortunately however, the commercialists came along later and fucked it up, which they tend to do to everything they get their hands on. If the commercialists still want the old DNS/TLD system, let them keep it. The DHT system could be implemented for those of us interested in more productive uses of the network.
b) It would at least go a long way towards putting a final nail in the coffin of the {RI,MP}AA's ability to track/identify (and therefore sue) anybody using p2p filesharing. No DNS means no named websites, and no named websites means no centre of gravity/vulnerability to make the {RI,MP}AA's lives easier.
For those of you who think I'm insane, realise that to a degree it's already been done with the Kad p2p network. Anyone connecting to Kad is only able to view (to the untrained or non-mechanical eye, at least) a totally incomprehensible array of numerical strings and file hashes. It might be traceable to individual users, but not easily. What we need to do is figure out how to create an adapted version of HTTP that is able to rely on a machanism similar to Kad as its' trasit/addressing system.
In terms of coding this, I'd have no idea even where to begin myself...so I guess all I can hopefor is that someone else out there who could is sufficiently interested in the idea to try it.
Do you actually check registars of what you consider spammy hosts or are you just bullshitting?
Yeah that is what i thought.
A lot of sites experienced outages due to this and caused a problems, considering I run a website for a local real estate company (who does not and never will spam) and a web design firm.
The phrase "more better" is acceptable English. suck it grammar Nazis
The following was posted to their website as early as Thursday:
Three Squirrels
Thats funny, because none of my 5 domains hosted with them are phishing, or spam. Your remark is kinda insulting. Usually i associate godaddy with those things, since they are cheap all the bad folks flock there.
I don't have a lot of sympathy for joker. My organizations have been devistated by DDOS in the past. The internet is broken, and if you want to survive you have to deal with that threat. DNS has built in backups. If they need to have 5 DNS servers on $500 a month massive DDOS protected 18gbit networks to stay in business, then thats what they need to do. If they can't, i'll have to take my business elsewhere. Show must go on, and all.
It's cute how these little troublemakers go around acting like mobsters with their techno threats. If we can send them money via wire transfer, then why isn't it possible to track that transaction and nail the collector ? Then you just go up the food chain and find his buddies. Sure, it doesn't solve the problem of botnets, but if you're able to take down enough of these kids to scare the others it could cause a significant reduction in frequency of DDoS attacks.
I think we can agree that a self-respecting thief won't build their career around robbing convenience stores for 100$ a pop. If you're going to risk your neck, go for the big payouts. Same thing with online terrorists; make it dangerous enough so the little boys will shy away, and those who are left standing will try to attack the big boys: those who have the resources to fight back. Hell if some chump tried to extort money from me, I'd do all I can to find where he's going to collect the ransom and smack that boy till he cries uncle!
-Billco, Fnarg.com
This happened to EasyDNS a while back. They ended up moving part of their DNS infrastructure behind Prolexic, which appears to have helped.
Prolexic is the brainchild of Barrett Lyon, who seems to have some experience fighting DDoS attacks. I'd be interested to see how well Prolexic's service actually works, but it seems technically sound to me.
Have fun,
Nathan 'Nato' Uno
http://web.unos.net/
The only domains that I've seen Joker as a registrar for are spammy websites and DNS hosts, it serves them right. Joker isn't known as the world's most reputable domain registrar.
And most of the domains that I've seen Joker as a registrar for, including my own, are legitimate sites. They're inexpensive, have good customer service, and don't try to treat their customers like complete morons (Network Solutions used to refer to TLDs as "web extensions" and other such nonsense that actually made it difficult to find what I was looking for on their site).
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Can't really say anything about that, but a quick investigation of their DNS shows that it is not geographically distributed (RFC3258). OK, I do not have the tools to do it properly, but it does not look like.
On top of that they do not look like they have their own connectivity to peering points in EU.
So frankly, they look like they are ripe for the picking. It is utterly trivial to run a domain registrar out of several diverse locations using RFC 3258. A registrar that is not doing it is in clear need of a cluebat on the head several times. I hope that this DDOS finally delivers it.
I use hosted DNS servers for a number of my sites. How does one verify whether or not a DNS server is complying with RFC3258? A quick Google turned up the spec itself (which I'm reading) and a tutorial on how to make your server compliant with RFC3258, but what if you don't want to host your own DNS?
The problem is that Joker usually doesn't appear concerned about the activities it's customers engage in (AUP notwithstanding), so it might be that someone out there saw one too many popup or phishing scam coming out of a Joker domain and got no satisfaction at the abuse desk.
So, when you find that the spammy domains are registered through Joker... do you report them to Joker as AUP violations? If so, what kind of response do you get? If not, how can they be expected to take action?
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Let me give you a free clue...
Leave your domain name registration at joker and move your DNS server to dnsmadeeasy.com.
Joker doesn't make any money on their DNS service and it will only help them at this point. I moved mine Saturday and it was a)relatively painless and b)seems to work faster than joker did on a good day.
There's a common misconception throughout the slashdot comments that domain registration and DNS service are the same. They aren't. You can keep joker.com as your domain registar and move your DNS service to a better provider.
"Eve of Destruction", it's not just for old hippies anymore...
Uh, yes. I do report them. I'm pretty foolish from time to time, but I'd hardly complain about something like this in such a public forum if I hadn't at least given them the chance to correct the issue.
Well, I did report them at first. If I haven't tossed or misplaced the old messages, I've probably still got a couple hundred floating around somewhere that I sent to abuse@joker.com along with every other relevant address I could find, regarding phishing scams and pornographic spam. I was very diligent about it for some time back when I initially set up my old domain.
It took all of 3 weeks for the joker domains to start blasting me with more than 100 messages every day - the address was probably gleaned off of one of the dozen or so technical mailing lists I joined that were archived online. It took about 2 months to reach 200/day. 85% or so were from joker domains (and not just from a couple, there were several dozen). Every last one was reported for about the first month, then as you might expect, I grew tired of it and quit. Particularly since I began noticing the same domains coming back and getting no response from Joker - other than the occasional canned response.
Eventually I found Spamassassin and started filtering them out, quite successfully. Still, when things hit a solid 250/day level for about a 2 month period, I picked up another domain and shut that one off for about 8 months - which helped, but after turning it back on I still got a good bit of garbage on that domain.
So, yes, I did follow the high road, and gave them a reasonable chance to fix the problem I was seeing. Apparently they didn't see it or didn't care. Since I did report them, they certainly can be expected to take action.
My perception of the problem (which is only my humble opinion) is that regardless of the AUP and the fact that it requires valid contact information for each domain - which is almost never supplied, regardless of the law, and regardless of the obvious violation of generally acceptable online practices, they (and other registrars, Joker is certainly not alone here) don't want to terminate a service they perceive as having been paid for. Even when I did get the canned response from Joker (and other registrars) promising an investigation, there was no followup with me (which might be understandable) and I continued to get trash from the domain in question.
There are also problems with privacy in some of these cases. I once reported a domain for spamming (I don't remember the registrar or the offending domain offhand, it was 3 or 4 years ago), and promptly received a direct message from the "admin" of the offending domain promising my online life would be constant hell from that point on for reporting him. So, with no measureable positive results from that approach, and at least one direct threat stemming from it, what would you do?
Was it ok for the organization I complained to to provide the offender with my contact information? Hell no!
After that I gave up and started a dozen or so honeypot addresses to seed my filters then set up some elaborate self implemented tools to make managing it at my site easier for everyone I gave an account to. That's not a solution though. It's just finding a way to keep it from eating 2 hours of my time out of every day, and possibly causing some real damage. It still eats my resources and takes my time (albiet very little anymore).
is anybody having a problem now with netsol? my site is down and the netsol customer support lines are constant BUSY.
Umm, might that have been the *point* of DDoSing them to begin with?
Not that it couldn't have been a kidiot with his newest l33t skr!ptz, but...
I've been a happy Joker customer for years. I started having DNS issues the middle of last week so I fired them off an email asking them if they were experiencing a DoS attack. Here was their response:
Dear Sir/Madam,
thank you for your email.
Unfortunately there is a DDOS Attack on Joker.com Nameservers.
Joker.com currently experiences extremely massive distributed denial of service attacks against
nameservers.
This affects the DNS resolution of Joker.com itself, and also domains which use the Joker.com
nameservers.
We condemn this attack on the sharpest, at the same time our network department works very hard
and does everything in order to achieve a permanent solution.
We are very sorry about this incident and for any inconvenience this may have caused.
Thank you for your understanding and with best regards,
your Joker.com team
Deuteronomy 13:06-9
After my bad experience with them, I have no sympathy for thier plight.
I registered 3 comains with them some years back.
I made an error when registering, something that many others have done, and used an email addressed utilizing the domain i had just registered.
My Error.
I gave them a proper phone number, and other correct information.
The dns server i set was interpreted incorrectly and failed to work.
I tried for months and months to reach them to have these errors changed. They do not have any phone support and did not return any of my emails.
I ended up having to wait for ayear and a half for the registrations to expire ( 1 year plus time protected to renew ), and then had to pay extra to transfer those domains to another registriar.
Good riddance joker.com
We're the internet here, and if this hacker gets found, make an example of him.. he should be in deep debt for the rest of his life. THAT'll scare these script idiots...
... oh, there's someone at the door for you. Don't answer that call!
You're assuming that the DDoS is being run by a script kiddy. But if the script kiddy is in the employ of a Romanian mafiosa gang who're trying to extort a couple of million of protection money from Joker (or a Joker client)
Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
... and they're recommended by DJB.
http://cr.yp.to/djbdns/dot-com.html
I'm not the OP, but Joker went down twice in December, on the 11th and the 21st/22nd, IIRC. On the 21st, they were down for over 4 hours. A support ticket about the issue went unanswered, except for the automated confirmation of receipt. When this latest DDoS hit, I moved all my domains away and advised all my clients to move away, too. There are much more professional registrars and domain hosts out there, and these days some of them have better prices, too.