Network Solutions Under Large-Scale DDoS Attack

netizen writes "CircleID is reporting a large-scale DDoS attack affecting all of Network Solutions' name servers for the past 48 hours, potentially affecting millions of websites and emails around the world hosting their domain names on the company's servers. The NANOG mailing list indicates that it is due to a very large-scale UDP/53 DDoS which Network Solutions has also confirmed: 'There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack. We are taking measures to mitigate the attack and speed up queries.""

Re:hummm

Rebooting is what you do to Windows boxes. Unix is what you use for important things like DNS.

Re:Red headlines?

[clarkkent09]

Subscribe and you'll see them all the time

Shashi B at Network Solutions

[shashib]

Here is a update that we posted on the Network Solutions Blog (http://cli.gs/GEWSs0) : DNS queries for web sites should be responding normally. Thank you all for your understanding. As always, we will continue to work to take measures to prevent these and other types of technical issues caused by third parties that may impact our customers. Thanks, ShashiB

mistatement

[WillRobinson]

Actually I did change the forwarders and restarted the service, no reboot, just a bad description.

perfect

A perfect opportunity to use that normally B.S. excuse: "Why, no, I didn't get your email. Must've been because of that DDoS attack on the name servers."

Re:Someone should be fired!

[timmarhy]

you can't prevent them. they come from legit clients that have been infected with a virus. you can block the traffic by dropping traffic that matches the attach pattern, that's about it.

Re:Slashdotting will help how?

[epiphani]

Hi! You're wrong. That would be Verisign.

This is DNS hosting provided by Network Solutions for people who buy domains from them and choose to have them host the DNS rather than host it themselves.

Thanks for playing.

Re:Downright Gibsonian

[thered2001]

If I had mod points right now, I'd boost your reply beyond mine. My quip elicited your insightful reply...hopefully, it gets the attention it deserves.

Re:That would explain the surge in DDoS spray pack

[Spit]

Don't block the requests, the requester IP is spoofed so that DNS servers which respond with root hints forward them to the innocent party, causing DoS. Vlocking the IP just blocks the innocent party's DNS servers. Just make sure that you don't respond external recusive queries.

Re:Someone should be fired!

[passion]

Not quite - you're thinking of older versions. Modern versions of Peakflow are teamed with TMS (Threat Management System), which allow you to mitigate DDoS attacks.

From their website, "Surgical Mitigation Arbor Peakflow SP TMS enables you to automatically detect and surgically remove only the attack traffic while maintaining legitimate business traffic â" thereby ensuring the highest level of customer satisfaction."

http://www.arbornetworks.com/en/threat-management-system.html

Re:Slashdotting will help how?

[Phroggy]

*pssst* Verisign owns Network Solutions owns .com

That hasn't been true in years.

NSI originally operated the .com/net/org/edu registry and was the sole registrar; after they started allowing competing registrars, Verisign bought NSI, then Verisign spun off NSI as a registrar but kept the registry. NSI now competes on even footing with other registrars (except NSI's customer base dates back to before competition existed).

I'm tired, I'll let somebody else correct my oversimplifications and misstatements. :-)

Re:That would explain the surge in DDoS spray pack

[Cally]

Exactly. The attacker spoofs UDP DNS queries and sends them to third-party DNS servers. They respond to the spoofed, victim's nameservers. The idea is that the attacker sends a small packet which induces a large response ('amplification') from the third party to the victim.

Incidentally when did Network Solutions change their name to "IsPrime"?