Distributed denial-of-service (DDoS) attacks that could be related have in the past few days slammed the DNS servers of at least three providers of domain name management and DNS hosting services.
DNSimple, easyDNS and TPP Wholesale all reported temporary DNS service outages and degradation on Monday, citing DDoS attacks as the reason. In some cases the attacks started a few days ago and are ongoing.
TPP Wholesale, a subsidiary of Sydney-based Netregistry, one of Australia's largest providers of Web hosting, domain management and other online services, alerted its customers through its website on Monday that eight of its DNS servers experienced "unscheduled service interruption."
TPP Wholesale experienced a series of DDoS attacks against its DNS name servers over the past several days, the Netregistry Group Security Team said in a blog post. The company managed to mitigate the DDoS attacks that caused service interruptions throughout Monday by taking "the drastic step" of rate-limiting DNS queries, the team said.
Such aggressive filtering is prone to false positives and might result in some customers being denied DNS service. "In the next few days we will continue to whitelist such false positives as we discover them," the team said.
EasyDNS, a DNS hosting provider based in Toronto, also reported DNS service disruptions caused by a DDoS attack on Monday.
"This looks like a larger version of a smaller DDoS yesterday which was possibly a test run," the company's CEO Mark Jeftovic said Monday in a blog post. "This DDoS attack is different from our previous ones in that it looks as if the target is us, easyDNS, not one of our clients."
Jeftovic said that it was difficult to differentiate the real traffic from the DDoS traffic, but the company managed to partially mitigate the attack and also published workarounds for affected customers. "This is the 'nightmare scenario' for DNS providers, because it is not against a specific domain which we can isolate and mitigate, but it's against easyDNS itself and it is fairly well constructed," he said.
Aetrion, based in Malabar, Florida, operates a DNS hosting service called DNSimple, which was also attacked on Monday. According to DNSimple founder Anthony Eden, the DDoS attack is ongoing, but the company managed to mitigate it.
"Our authoritative name servers were used as an amplifier for an attack against a third-party network," Eden said Tuesday via email. "The attacker essentially flooded us with 'ANY' queries for a variety of domains managed by our DNS service, with the intention of amplifying these small queries into significantly larger responses aimed at a specific network."
This attack technique is known as DNS reflection or DNS amplification. It involves sending queries with a spoofed source IP (Internet Protocol) address -- usually the victim's address -- to DNS servers from a large number of computers in order to trigger long responses to be sent by those servers to victim's IP address within a short time window. If enough computers and DNS servers are used, the resulting rogue DNS traffic will exhaust the victim's available Internet bandwidth.
Sign up for CIO Asia eNewsletters.