Slashdot Mirror

← Back to Stories (view on slashdot.org)

DDoS on Domain Registrar

Posted by ryuzaki0 on from the paint-by-numbers dept.

miller60 writes "Netcraft is reporting that 'domain registrar Joker.com says its nameservers have been hit with a massive DDoS attack, causing outages for customers. More than 550,000 domains are registered with Joker, meaning the outages could be widely felt. It's not clear why the DDoS is succeeding, as most registrars have implemented sturdy DDoS protection since the attack on the root nameserver system back in 2002.' Some security experts have warned in recent weeks about DNS recursion attacks as previously discussed here on Slashdot, which can amplify the power of attacks launched from botnets."

2 of 69 comments (clear)

  1. Resist the urge & take action? by puntloos · · Score: 2, Insightful

    I hope people realise that moving away from joker will result in exactly what the attacker intended: hurt joker.com. My own business is hosted @ joker and I'm feeling the hurt. But Im staying.

    Next up: can everbody who gets hurt by this attack band together and start a class action suit against this ddos'er? Yeah, IF he gets caught...

    We're the internet here, and if this hacker gets found, make an example of him.. he should be in deep debt for the rest of his life. THAT'll scare these script idiots...

  2. allow-recursion { none; }; doesn't always help. by tinkertim · · Score: 2, Insightful

    BIND comes out of the box ready to answer requests from anyone, digging the roots itself and caching. Most people don't set it otherwise, and most 'leading' control panels don't advise you to do much of anything about it. However in cases like this, all of the hardening in the world isn't going to help you if the botnet is as big as the one that got Joker.

    Fortinets, ciscos, Junipers all handle a set number of sessions. Some as low as 1500 - 2000, throw those away when you're talking about a large botnet. Depending on how big the botnet is, and how diverse the attacking blocks are sometimes there is very little to do other than wait it out. Even with higher end Fortinets that support up to 35k sessions, if you have 100k uniques over 30k blocks .. well you're just screwed. Your firewall will either shut out all traffic, or open wide, depending on how its set until the attack subsides.

    DNS records must remain public in order to resolve anything. Sorry folks, but if the network you pissed off is large enough .. there's very very little that can be done about it given hardware most medium to medium-large companies use. They come on fast and just do not stop.

    Some pretty scary chit, especially if you are the one who gets called to deal with it. If you want to yell at someone about it, take your pick from one of the thousands of shared web hosting providers who provide a nice comfy woumb for these networks to grow.

    So the next time your host tells you that they've disabled exec(), passthru() and shell_exec() in php for security and restricted access to wget and lynx, go a little easier on them. This is why. They have no control over what their users upload and make available to the world.

    Even well hardened servers are easy targets if some jackass uploads phpbb version 1. If any script interpreter can make shell calls, you ought to be checking sockets and connections often.

    lsof is your friend, learn how to use it :) Takes you right to them.