Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Solutions Under Large-Scale DDoS Attack

Posted by Soulskill on from the but-they're-so-friendly dept.

netizen writes "CircleID is reporting a large-scale DDoS attack affecting all of Network Solutions' name servers for the past 48 hours, potentially affecting millions of websites and emails around the world hosting their domain names on the company's servers. The NANOG mailing list indicates that it is due to a very large-scale UDP/53 DDoS which Network Solutions has also confirmed: 'There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack. We are taking measures to mitigate the attack and speed up queries.""

4 of 139 comments (clear)

  1. hummm by WillRobinson · · Score: 3, Interesting

    Rebooted the DNS server today cause things seemed funny ... maybe this is what it really was.

  2. That would explain the surge in DDoS spray packets by Swordfish · · Score: 3, Interesting

    That would help to explain the surge in this kind of thing in the last few days.

    15:07:13.666770 IP 63.217.28.226.17498 > 158.64.65.65.53: 36407+ NS? . (17)
    15:07:13.750783 IP 63.217.28.226.61231 > 158.64.65.65.53: 46118+ NS? . (17)
    15:07:13.831834 IP 63.217.28.226.44626 > 158.64.65.66.53: 51544+ NS? . (17)

    Except that that source IP address doesn't look like a Network Solutions address to me.

    Is it possible that there is a DDoS technique where the source IP addresses on DNS packets to 3rd party DNS servers are spoofed so as to generate the appearance of an attack from a different source? I guess that's what they're saying. But it doesn't seem to multiply the power of an attack much. They just get 17 bytes of DNS response from each 17 byte request.

    It's all a bit confusing really....

  3. Re:That would explain the surge in DDoS spray pack by epiphani · · Score: 5, Interesting

    The problem seems to kick in for DNS servers that arent rejecting the queries. Someone is channeling ye 'ole smurfing methods.

    They're requesting a list of all DNS root servers. If the server don't reject the query, a 17 byte query becomes a 50k response (or something like that) to the spoofed address.

    --
    .
  4. Look for DNS/SSL/MITM attacks about now... by DamnStupidElf · · Score: 3, Interesting

    The only obvious reason to DDoS a bunch of DNS servers is if you're going to be doing some cache poisoning and mounting a massive MITM attack, and if you're lucky you recently obtained a trusted intermediate CA via an MD5 collision attack on a lousy root CA like RapidSSL.

    Has anyone bothered to petition Mozilla to remove all the offending root CAs with the weakness shown in MD5 considered harmful today?