A Toronto domain name management provider is recovering from a nasty distributed denial of service attack that hit DNS providers in at least three countries earlier this week.
easyDNS was a victim of an amplification attack, which sees servers of an organization used to amplify an initial small number of incoming queries with spoofed IP addresses into a large number of outgoing packets focused on a different target.
In this case, easyDNS CEO Mark Jeftovic said in an interview Wednesday, it seems the target was a customer of another DNS provider.
The attack, which according to Computerworld U.S also struck DNS providers in the U.S. and Australia, caused service disruptions starting Monday afternoon. In easyDNS’ case, it wasn’t tamed until around 5 a.m. Tuesday.
easyDNS provides domain registration, and DNS hosting services to a wide range of North American companies.
Jeftovic is a little embarrassed from the incident because he knew it was coming. “We think there was a test run against us on Sunday,” he said. While it was initially handled by his company’s DDoS migitation partners – who have techniques to filter and cleanse traffic – he suspected more was coming and alerted them to be ready.
But to his surprise when the attack came Monday afternoon the initial incoming bandwidth was minimal. It was the volume of outgoing packets that was the surprise, and because of the nature of the attack it was hard to distinguish real DNS queries from fake ones.
The real target, he believes, was an unknown customer of another DDoS mitigation company, SharkTech, which is based in Las Vegas. At first Jeftovic and his staff thought that customer was on the easyDNS system – sometimes a DDoS mitigation provider will point a customer at another DNS provider for domain name services, which is supposedly a no-no, Jeftovic said. However, he realized that wasn’t so.
In a blog to customers, Jeftovic said “this is hard to admit, but we got careless” in part by underestimating what was coming. “We should have better insight into DNS attack patterns,” he wrote “and we didn’t recognize this as an amplification attack until quite late into the game.”
Security professionasl and security vendors are struggling to keep up with creating tools to deal with these kinds of attacks, he said.
IT security staff of organziations are used to looking for malware, he said. But newer attacks are going after network nodes, like intrusion protection devices, so the capacity of every node may be a vulnerability. So nodal analysis has become vital, he said, but we don’t yet have the tools for it.
To protect customers for a similar attack, easyDNS is reconfiguring its nameservers with filters to handle it, provisioning additional mitigation gear through a provider, shifting the way it routes traffic through another mitigation provider and other techniques.
For customers, the company also says that if DNS availability is needed 24 hours a day organizations should subscribe to more than one DNS provider and have their own DNS servers.
“The next level of DNS redundancy is multiprovider,” he said. “You’ve got to have multiple redundancies now, and a coherent system to manage that.”
