The beginning of July saw a set of DDoS (Distributed Denial of Service) attacks slamming at least three DNS hosting/ domain name management providers. It is believed that these attacks may have been related.
TPP Wholesale, easyDNS and DNSimple all reported temporary degradation and outages of DNS services believed to be the result of DDoS attacks.
The first victim, TPP Wholesale, experienced unscheduled service interruptions to eight of its servers. The security of Sydney-based Australian Netregistry Group, of which TPP Wholesale is a subsidiary, managed to mitigate the attack by rate-limiting DNS queries. Unfortunately, this process is somewhat prone to so-called false positives, and some innocent users were denied DNS services. The team proceeded to sort out the issue by going through results and white-listing false positives.
Victim number two, Toronto-based easyDNS, also experienced disruptions. According to a company spokesman, it appeared that this attack target the company itself, rather than just one of its clients. Finding it difficult to differentiate DDoS generated traffic from real traffic, teh company managed to at least partially mitigate the attack. Customers were also provided with a set of potential work-around options. The fact that the attacked was launched against easyDNS, as opposed to one of its clients, made isolation and mitigation of the issue a nightmare. This was not helped a great deal by the fact that the attack was also comparatively well constructed.
DNSimple is operated by Florida-based company Aetrion. Apparently, this attack used DNSimple’s authoritative name servers to amplify an attack targeted at a third-party, unnamed network. It appears that this attack used a technique known as DNS reflection. Known for some time, this technique roused renewed interest in attackers after it was used in other recent DDoS attacks of previously unheard of proportions. An example of such unprecedented attacks is the attack launched on Spamhaus, a spam-fighting organisation, in March.
According to a DNSimple spokesman, this latest attack on the service was undoubtedly significantly larger in both duration and volume than previous attacks experienced by the company. It is also believed that this attack was probably aimed at hosting company Sharktech and/ or one of its clients.
Apparently, a comparison of patterns involved in these three attacks suggested that they were related in some fashion. Although TPP Wholesale and easyDNS did not confirm that DNS reflection was used in the attacks launched against them, similarities between these attacks definitely exist, at least according to findings revealed by DNSimple.