Slashdot Mirror

← Back to Stories (view on slashdot.org)

EveryDNS Under Botnet DDoS Attack

Posted by kdawson on from the man-that-smarts dept.

mellow marsh writes "EveryDNS, sister company to OpenDNS (which runs the PhishTank anti-phishing initiative), has been hit by a massive distributed denial-of-service attack. The attack started sometime Friday afternoon and, from all indications, was targeting Web sites that used free DNS management services provided by EveryDNS. At the height of the DDoS bombardment, EveryDNS was being hit with more than 400mbps of traffic at each of its four locations around the world. From the article: '"We were collateral damage," Ulevitch explained... Because law enforcement is involved, Ulevitch was hesitant to release details of the actual target but there are signs that some of the targets were "nefarious domains" that have since been terminated.'" OpenDNS, which makes use of EveryDNS services, was affected for a time, until they spread their authoritative DNS more broadly. The EveryDNS site is now reporting that the attack is continuing but has been mitigated and is not affecting operations.

12 of 154 comments (clear)

  1. puppy by Feyr · · Score: 5, Funny

    /., like kicking a dead puppy.

  2. Re:COM != NET by SaDan · · Score: 4, Informative

    What parent said. The main site is http://www.everydns.net/ not .com.

    Another quality, editor approved Slashdot story. Great job, guys.

  3. Heh by davidu · · Score: 5, Informative

    The site is EveryDNS.Net.

    I'll keep it up for Slashdot, let me just move it around a bit. :-)

    -david

    --

    # Hack the planet, it's important.
    1. Re:Heh by Anonymous Coward · · Score: 5, Funny

      You must be new...oh

  4. Questions? by davidu · · Score: 5, Informative

    Since I've been getting a lot of questions from folks about EveryDNS, how we've been stable and around so long, how we dealt with this DDoS and how we manage to cover our costs I am writing a response that will probably be posted here on Slashdot tomorrow or Monday to answer all these questions.

    If you have questions about this or DDoS in general, feel free to ask them here and I'll make sure to cover them in my response. I'll be writing about what we've seen and what I generally do when it comes to soaking up traffic and how we handled this event in particular. (The short answer: find the smartest people you can to help you and then start taking corrective action)

    Thanks!

    David Ulevitch

    --

    # Hack the planet, it's important.
    1. Re:Questions? by davidu · · Score: 4, Interesting

      In short, the latter. Nothing is ever righteous when it comes to DDoS. :-)

      --

      # Hack the planet, it's important.
    2. Re:Questions? by Beryllium+Sphere(tm) · · Score: 4, Interesting

      Bless you for offering to answer questions! That sort of cooperation is indispensable if security is going to improve.

      1. How did you manage the response? The one-smart-person-in-charge-who-stays-awake-the-who le-time approach? The small-team-with-independent-responsibilities model? The review-what-happened-at-shift-change model?

      2. What tactics worked, and even more important, what didn't work?

      3. What sort of agreements should people have in place with their upstream ISP prior to an incident?

      4. How intelligent was the attack traffic? Randomized payload? Does anyone bother spoofing addresses any more?

      5. Was it a guided attack or a fire and forget? In other words, did the scum make any changes to their tactics in real time as you tried corrective action?

      6. What if anything can be done in the first few minutes/hours?

      7. If you had to choose between capacity and filtering, which would you choose?

  5. Real ripple effects, even from this small event. by ScentCone · · Score: 5, Insightful

    A client (a pretty large retail chain) was using EveryDNS for forward lookups to the mail server's A record. Mail they were sending out started to bounce because receiving mail servers weren't happy when trying to validate the sending box. In once case, a vital piece of mail sent to a state taxing authority couldn't get through on a month-end calendar deadline, causing much grief. Yes, alternate communcations channels are always an option, but it wasn't immediately clear why the two mail servers in question appeared to be hating each other.

    Worse, the state government box's spam filtering appliance blacklisted the retailer's server, and a third party admin had to get involved to free things up. Quite a mess.

    But the real lesson? People who say that a "cyber attack" couldn't really hurt the economy are wrong, wrong, wrong. This stuff can be really disruptive, and this was a pissant little scaled-down example. No major damage, but a lot of thrashing around, untold manhours of lost productivity, and (in the case of the anecdote in question, involving just one retail company), probably some tax fines which will require much tail chasing to get waived once the the story is clearly told, assuming the state government in question is feeling sporting about it.

    --
    Don't disappoint your bird dog. Go to the range.
  6. "nefarious domain" is a loaded and subjective term by plasmacutter · · Score: 5, Insightful

    What is "nefarious"?

    to some.. the pirate bay and allofmp3 are "nefarious domains"..

    to others "www.f**Ktimewarner.com" and "walmartsucks.com" are "nefarious domains"

    and to others "www.wikipedia.org" and "www.aclu.org" are "nefarious domains".

    I have a lot of trouble with the idea that DDOS attacks were being carried out in (apparently successful) attempts to wipe domains off the face of the earth..

    this implies the attackers had no legal standing to take those domains offline.. then they call them "nefarious" after the fact.

    --
    VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
  7. Botnet? Cal it what it is! by Chris+Tucker · · Score: 4, Insightful

    Compromised Windows machines network.

    Where are the class action suits against Microsoft for continually producing such flawed software that makes it easy to 0wn a box?

    If it wasn't for 20 some years of MS indifference towards security, there wouldn't be botnets like this, being used for DDOS attacks and forwarding billions of spams a day.

    --
    Guaranteed! This comment 100% Anthrax free!
  8. Open Letter to all Trolls by tomstdenis · · Score: 4, Interesting

    You're pricks.

    Nothing positive or lasting will come out of trolling (and yes: this means you anonymous asshats on /. and in usenet).

    So why not be part of a winning team and stop script kiddie'ing around from your parents basement.

    Sincerely,
    The Rest of the Human Race.

    --
    Someday, I'll have a real sig.
  9. Re:solution to DDOS attack by sirket · · Score: 5, Informative

    Not quite- It generally works like this:

    First off- be prepared for a damned attack and don't wait til it happens. When an attack does come:

    1- Identify the target IP address
    2- Immediately null-route traffic for that address (preferably using BGP community based null-routing)
    This gets the rest of your systems back up and gives you time to work on the problem.
    3- Try to identify a pattern in the attacking traffic- use a product from a company like Mazu- or just tcpdump if you're good with sed and awk.
    4- If there is a pattern ask the upstream ISP to block based on that pattern (same source port, same source IP, same TTL, whatever). Or block it yourself if you have the router and bandwidth capacity to deal with the attack yourself- though that's generally a waste of your resources.
    5- If there is no pattern but the traffic is malformed then enabled a Cisco Riverguard or similar protection device that can filter out malformed traffic at the higher protocol layers. As an alternative, sign up for such a service form a company like Prolexic.
    6- Remove your null route and see how you did.
    7- If you can't afford a protection service, you can try moving the host/dns records to new IP's. Sometimes the attacks don't follow- sometimes they do. It's often worth a try as it can be done faster than enabling protection services in many cases. In this case leave the old null route in place until the attack stops. Be prepared for the attack to return at any time once they realize what's happened.

    Make sure to keep traffic logs for law-enforcement and to share with other ISP's so that they can track down the offending bots.

    In the future try to keep your traffic as segregated as possible such that an attack on a single host will not take down too many other services should you need to null-route that address for an extended period of time.

    The easiest solution- block all IP addresses assigned to the APNIC region and watch as your site immediately returns to normal. Sadly most of the DDoS's I've seen recently had the majority of their traffic sourced from APNIC addresses.

    -sirket