Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/6/2009
08:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Register.com Suffered Massive Denial-of-Service Attack

Anyone dependent on domain name registrar and hosting company Register.com, for either hosting their Web site or e-mail, learned first hand the pain of a distributed denial-of-service attack.

Anyone dependent on domain name registrar and hosting company Register.com, for either hosting their Web site or e-mail, learned first hand the pain of a distributed denial-of-service attack.I'm not sure what time the attacks began, but I noticed I lost access to my e-mails that depend on Register.com starting Wednesday afternoon.

In fact, e-mail access didn't seem to normalize until Saturday.

I couldn't access my Web site, nor POP e-mail, nor Web mail.

Here's the e-mail Register.com sent to customers, Friday at about 5:00 PM:

Dear George,

Earlier today we communicated to you we were experiencing intermittent service disruptions as a result of a distributed denial of service (DDoS) attack - an intentionally malicious flooding of our systems from various points across the internet.

We want to update you on where things stand.

Services have been restored for most of our customers including hosting and email. However for some of our customers, services are not fully restored. We know this is unacceptable.

We are using all available means to restore services to every one of our customers and halt this criminal attack on our business and our customers' business. We are working round the clock to make that happen.

We are committed to updating you in as timely manner as possible, please check your inbox or our website for additional updates.

Thank you for your patience.

Larry Kutscher Chief Executive Officer Register.com

Problem is: I didn't receive any earlier notice on the availability issues. I had (barely) intermittent access to e-mail, and failed to be able to access Register.com on my several attempts.

As most of you are probably aware, a distributed denial-of-service attack is an attack where typically a few thousand (could be a few hundred, or even tens of thousands) systems are comprised with "bots." Those bots are instructed to swamp servers with so much bogus traffic that legitimate traffic can't get through.

Mid-afternoon on Saturday, Register.com provided the following update, stating that all of their web services were operational:

Please note we are not discounting the possibility of an escalated DDoS attack. We are taking every possible precaution to protect our infrastructure and our customers. In response we have:

- Deployed counter-measures to mitigate the attack and added capacity across the company's network - Setup special channels with major ISPs to re-enable customers' services - Isolated the profile of the attack through forensic data analysis - Engaged the FBI and The Department of Homeland Security

Bullets three and four seem like reasonable response to an attack to me. However, there's little excuse for a hosting company and e-mail provider to deploy D-DOS countermeasures after a D-DOS attack. These countermeasures would have already been on-the-ready. Ditto for special channels being setup with other ISPs for traffic failover.

Why would Register.com have been targeted for an attack? They're not saying. However, Brian Krebs at the Washington Post is on to one possible idea, and that's Register.com is/was the target of extortion. It's common for cyber-criminals to target gambling Web sites, for instance, with extortion attacks, though I'm not familiar with it being common among ISPs. Let's hope this isn't the beginning of a trend.

Let's also hope, if this is the case of extortion, that Register.com didn't pay up.

I wrote a cover story on Extortion Attacks a few years ago. It was an interesting story. Still is. And, unfortunately, online extortion is still a problem.

I'm not going to leave what business I currently give to Register.com because of this attack. That would be punishing one of the victims in this mess.

But I am disappointed that the company wasn't better prepared. And I will leave if there is a next time for exactly that reason.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.