Slashdot Mirror

← Back to Stories (view on slashdot.org)

Network Solutions Under Large-Scale DDoS Attack

Posted by Soulskill on from the but-they're-so-friendly dept.

netizen writes "CircleID is reporting a large-scale DDoS attack affecting all of Network Solutions' name servers for the past 48 hours, potentially affecting millions of websites and emails around the world hosting their domain names on the company's servers. The NANOG mailing list indicates that it is due to a very large-scale UDP/53 DDoS which Network Solutions has also confirmed: 'There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack. We are taking measures to mitigate the attack and speed up queries.""

36 of 139 comments (clear)

  1. One must ask... by Anonymous Coward · · Score: 5, Funny

    Does Network Solutions have any network solutions?

  2. hummm by WillRobinson · · Score: 3, Interesting

    Rebooted the DNS server today cause things seemed funny ... maybe this is what it really was.

    1. Re:hummm by Anonymous Coward · · Score: 4, Informative

      Rebooting is what you do to Windows boxes. Unix is what you use for important things like DNS.

    2. Re:hummm by symbolset · · Score: 2, Insightful

      The best opportunity shares space with the greatest risk.

      --
      Help stamp out iliturcy.
    3. Re:hummm by nabsltd · · Score: 2, Insightful

      Many (inexperienced) linux admins like to reboot their boxen too remember

      I've seen many times when issues required a reboot of a *nix machine.

      The latest one I'm dealing with is a machine that completely drops off the network (no pings, etc.). Restarting services has no effect, so we suspect it is hardware, but that doesn't make a lot of sense, because the obvious culprit (the network cards) have physical redundancy and pass all diagnostics. We've also swapped out cards, but still see the same thing. The next step is to move to a card that uses a different driver, but that's something that requires change control to get involved.

      It only happens about once every two months, and since the machine itself is part of a cluster, it doesn't hurt productivity much, but it is annoying.

  3. Slashdotting will help how? by nwf · · Score: 5, Funny

    Nice we can link to something in their domain to further add to the DNS traffic! Maybe someone could find a link to download some huge file from their servers, too!

    --
    I don't know, but it works for me.
    1. Re:Slashdotting will help how? by epiphani · · Score: 4, Informative

      Hi! You're wrong. That would be Verisign.

      This is DNS hosting provided by Network Solutions for people who buy domains from them and choose to have them host the DNS rather than host it themselves.

      Thanks for playing.

      --
      .
    2. Re:Slashdotting will help how? by poopdeville · · Score: 2, Insightful

      Maintain a cache of domain records from an authoritative source (which can be itself, in the case of the 11 root servers or internal network domain name servers).

      Oh, you were trying to make the GP look dumb. Failure.

      --
      After all, I am strangely colored.
    3. Re:Slashdotting will help how? by Phroggy · · Score: 2, Informative

      *pssst* Verisign owns Network Solutions owns .com

      That hasn't been true in years.

      NSI originally operated the .com/net/org/edu registry and was the sole registrar; after they started allowing competing registrars, Verisign bought NSI, then Verisign spun off NSI as a registrar but kept the registry. NSI now competes on even footing with other registrars (except NSI's customer base dates back to before competition existed).

      I'm tired, I'll let somebody else correct my oversimplifications and misstatements. :-)

      --
      $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
      $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  4. Re:Red headlines? by clarkkent09 · · Score: 2, Informative

    Subscribe and you'll see them all the time

    --
    Negative moral value of force outweighs the positive value of good intentions.
  5. Shashi B at Network Solutions by shashib · · Score: 5, Informative

    Here is a update that we posted on the Network Solutions Blog (http://cli.gs/GEWSs0) : DNS queries for web sites should be responding normally. Thank you all for your understanding. As always, we will continue to work to take measures to prevent these and other types of technical issues caused by third parties that may impact our customers. Thanks, ShashiB

    --
    Social Media Swami | Network Solutions | http://blog.networksolutions.com
    1. Re:Shashi B at Network Solutions by TheSeer2 · · Score: 3, Funny

      A shortened url? On /.?

      http://blog.networksolutions.com/2009/potential-latency-on-network-solutions-dns/

  6. mistatement by WillRobinson · · Score: 3, Informative

    Actually I did change the forwarders and restarted the service, no reboot, just a bad description.

  7. perfect by Anonymous Coward · · Score: 2, Informative

    A perfect opportunity to use that normally B.S. excuse: "Why, no, I didn't get your email. Must've been because of that DDoS attack on the name servers."

  8. Re:Oops... by troll8901 · · Score: 2, Funny

    So that's you, making my 40Gb/s connection slow!

    Now I'm shelling out for 14Tb/s. Money don't grow on trees, you know.

  9. Re:Someone should be fired! by ColdWetDog · · Score: 5, Funny

    is there a way to completely "immunize" oneself against such attacks? If so, where is the howto?

    I've heard that unplugging the network cable works OK.

    --
    Faster! Faster! Faster would be better!
  10. Re:Someone should be fired! by timmarhy · · Score: 3, Informative

    you can't prevent them. they come from legit clients that have been infected with a virus. you can block the traffic by dropping traffic that matches the attach pattern, that's about it.

    --
    If you mod me down, I will become more powerful than you can imagine....
  11. Re:Someone should be fired! by Anonymous Coward · · Score: 5, Insightful

    Do you even know what a DDoS attack is?

    If you did, you'd realize you can't both operate a service online, and be immune. The two things are mutually exclusive.

    The best you can do is slap the attack down when you see one happening. Even that isn't exactly easy. Banning a few million IP addresses tends to be a problem all by itself.

  12. Downright Gibsonian by thered2001 · · Score: 2, Interesting

    Man, am I getting old. This shit used to be relegated to print sci-fi, now its reported like the weather. The first thing I'm thinking is "will this prevent me from working from home on Monday?"

    I'll do to the only thing I can think of: I'll invoke a friendly spirit: "Wintermute! Help us!"

    --

    If your only tool is a hammer, every problem becomes a nail.

    1. Re:Downright Gibsonian by zappepcs · · Score: 5, Insightful

      You might be getting old, but reporting malicious attacks like the weather is a good thing. Some will get tired of it, but the good thing is that perhaps the average joe public user will become aware of how vulnerable their on-line experience and computer are. Fighting DDoS attacks has been done successfully, but it takes a lot of work, and a lot of hardware. There are a couple of stories on the Internet about such.

      The most recent botnet reports show that 100s of millions of PCs are infected with via a MS vulnerability that was fixed with a patch last year.

      We need to see the awareness level increased, and some serious attention to detail on the patch/upgrade cycles.

      --
      Support NYCountryLawyer RIAA vs People
  13. That would explain the surge in DDoS spray packets by Swordfish · · Score: 3, Interesting

    That would help to explain the surge in this kind of thing in the last few days.

    15:07:13.666770 IP 63.217.28.226.17498 > 158.64.65.65.53: 36407+ NS? . (17)
    15:07:13.750783 IP 63.217.28.226.61231 > 158.64.65.65.53: 46118+ NS? . (17)
    15:07:13.831834 IP 63.217.28.226.44626 > 158.64.65.66.53: 51544+ NS? . (17)

    Except that that source IP address doesn't look like a Network Solutions address to me.

    Is it possible that there is a DDoS technique where the source IP addresses on DNS packets to 3rd party DNS servers are spoofed so as to generate the appearance of an attack from a different source? I guess that's what they're saying. But it doesn't seem to multiply the power of an attack much. They just get 17 bytes of DNS response from each 17 byte request.

    It's all a bit confusing really....

  14. Re:That would explain the surge in DDoS spray pack by epiphani · · Score: 5, Interesting

    The problem seems to kick in for DNS servers that arent rejecting the queries. Someone is channeling ye 'ole smurfing methods.

    They're requesting a list of all DNS root servers. If the server don't reject the query, a 17 byte query becomes a 50k response (or something like that) to the spoofed address.

    --
    .
  15. Drudge Report by DigiShaman · · Score: 2, Interesting

    That would explain why access to the drudgereport page has been off and on. DNS failure would do it.

    Administrative Contact :
                  Drudge, Matt
                  rg3kn2zw89n@networksolutionsprivateregistration.com
                  ATTN: DRUDGEREPORT.COM
                  c/o Network Solutions
                  P.O. Box 447
                  Herndon, VA 20172-0447
                  Phone: 570-708-8780

                  Technical Contact :
                  Drudge, Matt
                  rg3kn2zw89n@networksolutionsprivateregistration.com
                  ATTN: DRUDGEREPORT.COM
                  c/o Network Solutions
                  P.O. Box 447
                  Herndon, VA 20172-0447
                  Phone: 570-708-8780

                  Record expires on 15-Feb-2013
                  Record created on 14-Feb-1997
                  Database last updated on 29-Feb-2008

                  Domain servers in listed order: Manage DNS

                  NS6.HA-HOSTING.COM 64.73.222.3
                  NS1.HA-HOSTING.COM 66.28.209.220
                  NS4.HA-HOSTING.COM 8.10.64.46
                  NS2.HA-HOSTING.COM 8.10.64.38
                  NS5.HA-HOSTING.COM 66.234.135.94
                  NS3.HA-HOSTING.COM 66.28.209.221

    --
    Life is not for the lazy.
  16. Re:Someone should be fired! by inKubus · · Score: 2, Funny

    Easy:


    cat "216.34.181.45 slashdot.org" >> /etc/hosts

    Any other questions?

    --
    Cool! Amazing Toys.
  17. I wonder if this is related.. by Anonymous Coward · · Score: 2, Interesting

    I wonder if this is related to this http://isc.sans.org/diary.html?storyid=5713

  18. Re:Someone should be fired! by totally+bogus+dude · · Score: 5, Funny

    ...and so ends the era of "useless use of cat"; now begins the era of "completely nonsensical attempt to use cat".

  19. This is not too hard to solve. by John+Sokol · · Score: 2, Interesting

    http://www.dnull.com/dos/DOS-Block.htm

    **sigh**

    --
    I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
  20. Re:The Beginning? by Rayban · · Score: 4, Funny

    Damn whoever first started spelling that as "Cornfucker". I keep seeing that now - just waiting to say it accidentally.

    --
    æeee!
  21. Re:That would explain the surge in DDoS spray pack by Spit · · Score: 2, Informative

    Don't block the requests, the requester IP is spoofed so that DNS servers which respond with root hints forward them to the innocent party, causing DoS. Vlocking the IP just blocks the innocent party's DNS servers. Just make sure that you don't respond external recusive queries.

    --
    POKE 36879,8
  22. Re:Someone should be fired! by passion · · Score: 2, Informative

    Not quite - you're thinking of older versions. Modern versions of Peakflow are teamed with TMS (Threat Management System), which allow you to mitigate DDoS attacks.

    From their website, "Surgical Mitigation Arbor Peakflow SP TMS enables you to automatically detect and surgically remove only the attack traffic while maintaining legitimate business traffic â" thereby ensuring the highest level of customer satisfaction."

    http://www.arbornetworks.com/en/threat-management-system.html

    --
    - passion
  23. Re:Making available legal doctrine means MS must p by jabithew · · Score: 2, Interesting

    I think it is still an interesting question to consider if there is any liability to Microsoft for damage caused by a virus hosted on their OS.

    My instinct is that there isn't, as it is perfectly possible to run Windows virus-free, with varying levels of difficulty. Also, in this case Microsoft made a patch available, so the OS as provided by Microsoft is immune to the attack.

    --
    All intents and purposes. Not intensive purposes.
  24. Re:That would explain the surge in DDoS spray pack by Onymous+Coward · · Score: 2, Interesting

    It's a reflection attack. Send a small query that requires a bigger answer to a bunch of nameservers. Spoof the source address for the query.

    Here's what I'm seeing of this attack.

  25. Re:That would explain the surge in DDoS spray pack by Cally · · Score: 2, Informative

    Exactly. The attacker spoofs UDP DNS queries and sends them to third-party DNS servers. They respond to the spoofed, victim's nameservers. The idea is that the attacker sends a small packet which induces a large response ('amplification') from the third party to the victim.

    Incidentally when did Network Solutions change their name to "IsPrime"?

    --
    "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
  26. Good by nurb432 · · Score: 2, Insightful

    Netsol sux anyway.

    Anyone else notice how they send out notices with the FROM: address forged as the TO address? Most people would get sued for fraud.

    --
    ---- Booth was a patriot ----
    1. Re:Good by mattr · · Score: 2, Interesting

      I moved a domain from netsol in January and let me tell you it was like pulling teeth. The non-existent control panel button, the "security" which secures them against you, the sales rep on the phone who passes you on, each person initiating a new sales pitch... only got them to move at all by threatening to report them. I used them for 10 years and knew they were tough to like but never again. FWIW Mom uses GoDaddy, and for hosting I like linode.com or anybody else.

  27. Look for DNS/SSL/MITM attacks about now... by DamnStupidElf · · Score: 3, Interesting

    The only obvious reason to DDoS a bunch of DNS servers is if you're going to be doing some cache poisoning and mounting a massive MITM attack, and if you're lucky you recently obtained a trusted intermediate CA via an MD5 collision attack on a lousy root CA like RapidSSL.

    Has anyone bothered to petition Mozilla to remove all the offending root CAs with the weakness shown in MD5 considered harmful today?