Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Solutions Under Large-Scale DDoS Attack

Posted by Soulskill on from the but-they're-so-friendly dept.

netizen writes "CircleID is reporting a large-scale DDoS attack affecting all of Network Solutions' name servers for the past 48 hours, potentially affecting millions of websites and emails around the world hosting their domain names on the company's servers. The NANOG mailing list indicates that it is due to a very large-scale UDP/53 DDoS which Network Solutions has also confirmed: 'There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack. We are taking measures to mitigate the attack and speed up queries.""

12 of 139 comments (clear)

  1. hummm by WillRobinson · · Score: 3, Interesting

    Rebooted the DNS server today cause things seemed funny ... maybe this is what it really was.

  2. Downright Gibsonian by thered2001 · · Score: 2, Interesting

    Man, am I getting old. This shit used to be relegated to print sci-fi, now its reported like the weather. The first thing I'm thinking is "will this prevent me from working from home on Monday?"

    I'll do to the only thing I can think of: I'll invoke a friendly spirit: "Wintermute! Help us!"

    --

    If your only tool is a hammer, every problem becomes a nail.

  3. That would explain the surge in DDoS spray packets by Swordfish · · Score: 3, Interesting

    That would help to explain the surge in this kind of thing in the last few days.

    15:07:13.666770 IP 63.217.28.226.17498 > 158.64.65.65.53: 36407+ NS? . (17)
    15:07:13.750783 IP 63.217.28.226.61231 > 158.64.65.65.53: 46118+ NS? . (17)
    15:07:13.831834 IP 63.217.28.226.44626 > 158.64.65.66.53: 51544+ NS? . (17)

    Except that that source IP address doesn't look like a Network Solutions address to me.

    Is it possible that there is a DDoS technique where the source IP addresses on DNS packets to 3rd party DNS servers are spoofed so as to generate the appearance of an attack from a different source? I guess that's what they're saying. But it doesn't seem to multiply the power of an attack much. They just get 17 bytes of DNS response from each 17 byte request.

    It's all a bit confusing really....

  4. Re:That would explain the surge in DDoS spray pack by epiphani · · Score: 5, Interesting

    The problem seems to kick in for DNS servers that arent rejecting the queries. Someone is channeling ye 'ole smurfing methods.

    They're requesting a list of all DNS root servers. If the server don't reject the query, a 17 byte query becomes a 50k response (or something like that) to the spoofed address.

    --
    .
  5. Drudge Report by DigiShaman · · Score: 2, Interesting

    That would explain why access to the drudgereport page has been off and on. DNS failure would do it.

    Administrative Contact :
                  Drudge, Matt
                  rg3kn2zw89n@networksolutionsprivateregistration.com
                  ATTN: DRUDGEREPORT.COM
                  c/o Network Solutions
                  P.O. Box 447
                  Herndon, VA 20172-0447
                  Phone: 570-708-8780

                  Technical Contact :
                  Drudge, Matt
                  rg3kn2zw89n@networksolutionsprivateregistration.com
                  ATTN: DRUDGEREPORT.COM
                  c/o Network Solutions
                  P.O. Box 447
                  Herndon, VA 20172-0447
                  Phone: 570-708-8780

                  Record expires on 15-Feb-2013
                  Record created on 14-Feb-1997
                  Database last updated on 29-Feb-2008

                  Domain servers in listed order: Manage DNS

                  NS6.HA-HOSTING.COM 64.73.222.3
                  NS1.HA-HOSTING.COM 66.28.209.220
                  NS4.HA-HOSTING.COM 8.10.64.46
                  NS2.HA-HOSTING.COM 8.10.64.38
                  NS5.HA-HOSTING.COM 66.234.135.94
                  NS3.HA-HOSTING.COM 66.28.209.221

    --
    Life is not for the lazy.
  6. I wonder if this is related.. by Anonymous Coward · · Score: 2, Interesting

    I wonder if this is related to this http://isc.sans.org/diary.html?storyid=5713

  7. This is not too hard to solve. by John+Sokol · · Score: 2, Interesting

    http://www.dnull.com/dos/DOS-Block.htm

    **sigh**

    --
    I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
  8. Re:Making available legal doctrine means MS must p by jabithew · · Score: 2, Interesting

    I think it is still an interesting question to consider if there is any liability to Microsoft for damage caused by a virus hosted on their OS.

    My instinct is that there isn't, as it is perfectly possible to run Windows virus-free, with varying levels of difficulty. Also, in this case Microsoft made a patch available, so the OS as provided by Microsoft is immune to the attack.

    --
    All intents and purposes. Not intensive purposes.
  9. Re:That would explain the surge in DDoS spray pack by Onymous+Coward · · Score: 2, Interesting

    It's a reflection attack. Send a small query that requires a bigger answer to a bunch of nameservers. Spoof the source address for the query.

    Here's what I'm seeing of this attack.

  10. netsol != isprime by Anonymous Coward · · Score: 1, Interesting

    what the hell does this have to do with netsol? the traffic from this ddos is originating from isprime and something called "beyond the network inc", both american companies.

  11. Re:Good by mattr · · Score: 2, Interesting

    I moved a domain from netsol in January and let me tell you it was like pulling teeth. The non-existent control panel button, the "security" which secures them against you, the sales rep on the phone who passes you on, each person initiating a new sales pitch... only got them to move at all by threatening to report them. I used them for 10 years and knew they were tough to like but never again. FWIW Mom uses GoDaddy, and for hosting I like linode.com or anybody else.

  12. Look for DNS/SSL/MITM attacks about now... by DamnStupidElf · · Score: 3, Interesting

    The only obvious reason to DDoS a bunch of DNS servers is if you're going to be doing some cache poisoning and mounting a massive MITM attack, and if you're lucky you recently obtained a trusted intermediate CA via an MD5 collision attack on a lousy root CA like RapidSSL.

    Has anyone bothered to petition Mozilla to remove all the offending root CAs with the weakness shown in MD5 considered harmful today?