DNS Service Under DDOS Attack

A Domain Name Service (DNS) provider was knocked offline on Friday by a major distributed denial-of-service (DDOS) attack that has re-emerged again today.

EveryDNS, a provider of free managed DNS services, was able to get back online within an hour during the initial DDOS attack on Friday -- which was felt by some 100,000 customers of the service -- and had stopped the attack altogether by Saturday. But the attackers resumed their bombardment again this morning and were still firing away at EveryDNS' servers at press time.

"They are just throwing random DNS packets at me... So it looks like a real request, but it's not," says David Ulevitch, founder of EveryDNS, a free DNS service. Ulevitch is also CEO of OpenDNS, which uses EveryDNS' domain name service.

OpenDNS' Website was down on Friday for about a half an hour, but its recursive DNS service and its PhishTank anti-phishing site emerged unscathed, according to OpenDNS. (See A First Look Into the PhishTank.)

Meanwhile, the unknown attacker is currently generating tens of thousands of these fake DNS requests per second, Ulevitch says. Ulevitch would not comment on whether it was a botnet-driven attack or who may be behind it. He did say he believes the attack was probably directed at one of his DNS service customers.

"This attack was likely directed at a customer of mine that I did DNS for, and not my service directly."

EveryDNS' Website was down for about an hour on Friday, but it took about six hours to fully fix the ensuing problems with its DNS service customers. Ulevitch says he added more capacity as well as more communication with the service's upstream providers.

The initial attack set off all of Ulevitch's pagers and monitoring system alarms. "Not to mention I was unable to log into any server through an in-band method." With the help of nLayer Networks, BitGravity, Hurricane Electric, the California Colocation Project, and renowned researcher Paul Vixie of ISC, Ulevitch was able to set up packet filters and expand capacity to fight the attack, he says.

And Ulevitch is busy battling the attack again today, although EveryDNS has remained up and running. "It was a 100 percent DNS attack. All of my nameservers are being targeted on Port 53 (the DNS port). It makes filtering quite a challenge."

So far, Ulevitch says he isn't sure what the attacker is after. "Attacking such a large DNS provider creates all sorts of collateral damage and is quite frustrating. Also, I'd be curious to know the motivations of the attacker."

— Kelly Jackson Higgins, Senior Editor, Dark Reading