easyDSN thought it knew what was coming, but the company was surprised when the international attack turned out to be something else

Toronto provider recovering from DDoS attack

A Toronto domain name management provider is recovering from a nasty distributed denial of service attack that hit DNS providers in at least three countries earlier this week.

easyDNS was a victim of an amplification attack, which sees servers of an organization used to amplify an initial small number of incoming queries with spoofed IP addresses into a large number of outgoing packets focused on a different target.

In this case, easyDNS CEO Mark Jeftovic said in an interview Wednesday, it seems the target was a customer of another DNS provider.

The attack, which according to Computerworld U.S also struck DNS providers in the U.S. and Australia, caused service disruptions starting Monday afternoon. In easyDNS’ case, it wasn’t tamed until around 5 a.m. Tuesday.

easyDNS provides domain registration, and DNS hosting services to a wide range of North American companies.

Jeftovic is a little embarrassed from the incident because he knew it was coming. “We think there was a test run against us on Sunday,” he said. While it was initially handled by his company’s DDoS migitation partners – who have techniques to filter and cleanse traffic – he suspected more was coming and alerted them to be ready.

But to his surprise when the attack came Monday afternoon the initial incoming bandwidth was minimal. It was the volume of outgoing packets that was the surprise, and because of the nature of the attack it was hard to distinguish real DNS queries from fake ones.

The mitigation partners did their part by scrubbing data, although additional capacity was needed. “We couldn’t bring it online fast enough,” Jeftovic recalled. By the time they did, the attack was under control.
 
RELATED CONTENT

The real target, he believes, was an unknown customer of another DDoS mitigation company, SharkTech, which is based in Las Vegas. At first Jeftovic and his staff thought that customer was on the easyDNS system – sometimes a DDoS mitigation provider will point a customer at another DNS provider for domain name services, which is supposedly a no-no, Jeftovic said. However, he realized that wasn’t so.

In a blog to customers, Jeftovic said “this is hard to admit, but we got careless” in part by underestimating what was coming. “We should have better insight into DNS attack patterns,” he wrote “and we didn’t recognize this as an amplification attack until quite late into the game.”

“We were expecting the same kind of DDoS attack (Monday)” after the initial thrust.  “I thought so they hit us with this baby thing now, tomorrow they’ll come back with 15-20 Gigs and it will be a lot worse … and all the mitigations guys know what to do – rinse out all the bad traffic. But when they did come back it was the same but different.” Instead of being a high-volume attack, it was a connection attack with what looked like legitimate DNS traffic.
Coincidentally, this week a speaker at the Canadian Telecom Summit in Toronto warned that network availability has become the main issue for telecommunications providers because of similar attacks.
Carl Herberger, vice-president of security solutions at Radware Inc., said an increasing number of attackers are going after “little attributes that live in the cloud that represent cogs, that if removed the whole system falls down for that individual business.” These targets include authoritative DNS services or certificate authority services.
Security professionasl and security vendors are struggling to keep up with creating tools to deal with these kinds of attacks, he said.

IT security staff of organziations are used to looking for malware, he said. But newer attacks are going after network nodes, like intrusion protection devices, so the capacity of every node may be a vulnerability. So nodal analysis has become vital, he said, but we don’t yet have the tools for it.

To protect customers for a similar attack, easyDNS is reconfiguring its nameservers with filters to handle it, provisioning additional mitigation gear through a provider, shifting the way it routes traffic through another mitigation provider and other techniques.

For customers, the company also says that if DNS availability is needed 24 hours a day organizations should subscribe to more than one DNS provider and have their own DNS servers.

“The next level of DNS redundancy is multiprovider,” he said. “You’ve got to have multiple redundancies now, and a coherent system to manage that.”

Asked if he’s ready for the next attack – which might not be the same – Jeftovic said his company learns from every incident. “There’s always something you learn from the last attack you’re glad you know.”
 
Related Download
Cisco Secure Mobility Knowledge Hub Sponsor: Cisco
Cisco Secure Mobility Knowledge Hub
This Knowledge Hub provides an end-to-end look at what it takes to discover, plan, and implement a successful Secure Mobility strategy.
Learn More
Share on LinkedIn Share with Google+ Comment on this article
More Articles