Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/6/2009
08:59 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Register.com Suffered Massive Denial-of-Service Attack

Anyone dependent on domain name registrar and hosting company Register.com, for either hosting their Web site or e-mail, learned first hand the pain of a distributed denial-of-service attack.

Anyone dependent on domain name registrar and hosting company Register.com, for either hosting their Web site or e-mail, learned first hand the pain of a distributed denial-of-service attack.I'm not sure what time the attacks began, but I noticed I lost access to my e-mails that depend on Register.com starting Wednesday afternoon.

In fact, e-mail access didn't seem to normalize until Saturday.

I couldn't access my Web site, nor POP e-mail, nor Web mail.

Here's the e-mail Register.com sent to customers, Friday at about 5:00 PM:

Dear George,

Earlier today we communicated to you we were experiencing intermittent service disruptions as a result of a distributed denial of service (DDoS) attack - an intentionally malicious flooding of our systems from various points across the internet.

We want to update you on where things stand.

Services have been restored for most of our customers including hosting and email. However for some of our customers, services are not fully restored. We know this is unacceptable.

We are using all available means to restore services to every one of our customers and halt this criminal attack on our business and our customers' business. We are working round the clock to make that happen.

We are committed to updating you in as timely manner as possible, please check your inbox or our website for additional updates.

Thank you for your patience.

Larry Kutscher Chief Executive Officer Register.com

Problem is: I didn't receive any earlier notice on the availability issues. I had (barely) intermittent access to e-mail, and failed to be able to access Register.com on my several attempts.

As most of you are probably aware, a distributed denial-of-service attack is an attack where typically a few thousand (could be a few hundred, or even tens of thousands) systems are comprised with "bots." Those bots are instructed to swamp servers with so much bogus traffic that legitimate traffic can't get through.

Mid-afternoon on Saturday, Register.com provided the following update, stating that all of their web services were operational:

Please note we are not discounting the possibility of an escalated DDoS attack. We are taking every possible precaution to protect our infrastructure and our customers. In response we have:

- Deployed counter-measures to mitigate the attack and added capacity across the company's network - Setup special channels with major ISPs to re-enable customers' services - Isolated the profile of the attack through forensic data analysis - Engaged the FBI and The Department of Homeland Security

Bullets three and four seem like reasonable response to an attack to me. However, there's little excuse for a hosting company and e-mail provider to deploy D-DOS countermeasures after a D-DOS attack. These countermeasures would have already been on-the-ready. Ditto for special channels being setup with other ISPs for traffic failover.

Why would Register.com have been targeted for an attack? They're not saying. However, Brian Krebs at the Washington Post is on to one possible idea, and that's Register.com is/was the target of extortion. It's common for cyber-criminals to target gambling Web sites, for instance, with extortion attacks, though I'm not familiar with it being common among ISPs. Let's hope this isn't the beginning of a trend.

Let's also hope, if this is the case of extortion, that Register.com didn't pay up.

I wrote a cover story on Extortion Attacks a few years ago. It was an interesting story. Still is. And, unfortunately, online extortion is still a problem.

I'm not going to leave what business I currently give to Register.com because of this attack. That would be punishing one of the victims in this mess.

But I am disappointed that the company wasn't better prepared. And I will leave if there is a next time for exactly that reason.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17505
PUBLISHED: 2020-08-12
Artica Web Proxy 4.30.000000 allows an authenticated remote attacker to inject commands via the service-cmds parameter in cyrus.php. These commands are executed with root privileges via service_cmds_peform.
CVE-2020-17506
PUBLISHED: 2020-08-12
Artica Web Proxy 4.30.00000000 allows remote attacker to bypass privilege detection and gain web backend administrator privileges through SQL injection of the apikey parameter in fw.login.php.
CVE-2020-2035
PUBLISHED: 2020-08-12
When SSL/TLS Forward Proxy Decryption mode has been configured to decrypt the web transactions, the PAN-OS URL filtering feature inspects the HTTP Host and URL path headers for policy enforcement on the decrypted HTTPS web transactions but does not consider Server Name Indication (SNI) field within ...
CVE-2020-5415
PUBLISHED: 2020-08-12
Concourse, versions prior to 6.3.1 and 6.4.1, in installations which use the GitLab auth connector, is vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another user who is granted access to a Concourse team. GitLab groups do not have this vulnerabilit...
CVE-2020-6653
PUBLISHED: 2020-08-12
Eaton's Secure connect mobile app v1.7.3 & prior stores the user login credentials in logcat file when user create or register the account on the Mobile app. A malicious app or unauthorized user can harvest the information and later on can use the information to monitor and control the user's ac...