ICANN hit by DDoS attack
If you noticed ICANN’s web site acting sluggishly or failing to respond at all last week, now you know why.
The site at icann.org was hit by a distributed denial of service attack on September 3 through September 4, according to a brief statement on the Org’s now-functional site.
ICANN identified a Distributed Denial of Service (DDoS) event that occurred on www.icann.org on 3 Sept. 2024. The situation was mitigated and service to ICANN’s website was restored on 4 Sept. 2024.
No additional information has yet been released on the size, duration or possible motivations behind the attack.
It’s the first security incident ICANN has judged significant enough to publicly disclose in over two years.
ICANN name servers come under attack
ICANN’s primary name servers came under a distributed denial of service attack, the Org said earlier this week.
The incident appears to have gone largely unnoticed outside of ICANN and seems to have been successfully mitigated before causing any significant damage.
ICANN said on its web site:
ICANN was subjected to a Distributed Denial of Service (DDoS) attack targeting NS.ICANN.ORG. This event did not result in harm to the organization. It was mitigated by redirecting traffic flows through a DDoS scrubbing service.
ns.icann.org is the address of ICANN’s name servers, which handle queries to ICANN-owned domains such as icann.org and iana.org.
The servers are also authoritative for Ugandan ccTLD .ug for some reason, and until a few years ago also handled the .int special-purpose TLD and sponsored gTLD .museum.
ICANN did not disclosed the exact date of the attack, nor speculate about whether it was targeted and why it might have happened.
Oracle buys Dyn just weeks after huge attack
Oracle has signed a deal to buy DNS services provider Dyn for an undisclosed amount probably in the nine-figure range.
The software giant said it plans to integrate Dyn’s services into its existing cloud computing platform. For the moment, existing Dyn customers are unaffected.
Dyn provides distributed DNS resolution services mainly to the enterprise market, where it has about 3,500 customers.
But it also provides redundant DNS to some TLD registries, notably Uniregistry.
Knowing how ruthlessly opportunistic Oracle can be when it comes to M&A, I have to wonder how much impact the recent denial of service attack against Dyn had on the timing of the deal being signed.
Dyn customers including Twitter and Netflix found themselves inaccessible for millions of North American internet users a couple of weeks ago.
Customers that may have been reconsidering their DNS options following the downtime may feel more reassured now that Dyn is about to become part of a much larger company.
While the acquisition price was not disclosed, it’s certainly going to be in the hundreds of millions.
Just six months ago, Dyn received $50 million in venture capital, following on from a $38 million round in 2012.
Uniregistry says it was unaffected by mother of all DDoS attacks
Almost 50 top-level domains were believed to be exposed to the massive distributed denial-of-service attack that hit Dyn on Friday, but the largest of the bunch said it managed to stay online throughout.
As has been widely reported in the mainstream and tech media over the last few days, DNS service provider Dyn got whacked by one of the biggest pieces of DDoS vandalism in the internet’s brief history.
Dyn customers including Netflix, Twitter, Spotify, PayPal and Reddit were reportedly largely inaccessible for many US-based internet users over the space of three waves of attack over about 12 hours.
The company said in a statement that the Mirai botnet was likely the attackers’ tool of choice.
It said that “10s of millions” of unique IP addresses were involved.
It has since emerged that many of the bots were actually installed on webcams secured with easily-guessable default passwords. XiongMai, a Chinese webcam manufacturer, has issued a recall.
In terms of the domain registry business, only about 50 TLDs use Dyn’s DynTLD service for DNS resolution, according to IANA records.
About half of these are tiny ccTLDs. They other half are Uniregistry’s portfolio of new gTLDs, including the like of .link, .car and .photo.
Uniregistry CEO Frank Schilling told DI that the Uniregistry TLDs did not go down as a result of the attack, pointing out that the company also uses its own in-house DNS.
“We like Dyn and think they have a great product but we did not go down because we also run our own DNS,” he said. “If we relied on them exclusively we would have gone down, but that is why we don’t do that.”
CNNIC hit by “largest ever” denial of service attack
Chinese ccTLD operator CNNIC suffered up to half a day of degraded performance and intermittent accessibility yesterday, after being hit by what it called its “largest ever” denial of service attack.
CNNIC is one of ICANN’s three Emergency Back-End Registry Operators, contracted to take over the running of any new gTLD registries that fail. It’s also the named back-end for seven new gTLD applications.
According to an announcement on its web site, as well as local reports and tips to DI, the first wave of DDoS hit it at about midnight yesterday. A second wave followed up at 4am local time and lasted up to six hours.
According to a tipster, all five of .cn’s name servers were inaccessible in China during the attack.
Local reports (translated) say that many Chinese web sites were also inaccessible to many users, but the full scale of the problem doesn’t seem to be clear yet.
China’s .cn is the fourth-largest ccTLD, with close to 10 million domains under management.
What the hell happened to Go Daddy last night?
Thousands — possibly millions — of Go Daddy customers suffered a four-hour outage last night, during a suspected distributed denial of service attack.
The company has not yet revealed the cause of the downtime, which started at 1725 UTC last night, but it bears many of the signs of DDoS against the company’s DNS servers.
During the incident, godaddy.com was inaccessible. DI hosts with Go Daddy; domainincite.com and secureserver.net, the domain Go Daddy uses to provide its email services, were both down.
The company issued the following statement:
At 10:25 am PT, GoDaddy.com and associated customer services experienced intermittent outages. Services began to be restored for the bulk of affected customers at 2:43 pm PT. At no time was any sensitive customer information, such as credit card data, passwords or names and addresses, compromised. We will provide an additional update within the next 24 hours. We want to thank our customers for their patience and support.
Several Go Daddy sites I checked remained accessible from some parts of the world initially, only to disappear later.
Others reported that they were able to load their Go Daddy webmail, but that no new emails were getting through.
This all points to a problem with Go Daddy’s DNS, rather than with its hosting infrastructure. People able to view affected sites were likely using cached copies of DNS records.
Close to 34 million domains use domaincontrol.com, Go Daddy’s primary name server, for their DNS. The company says it has over 10 million customers.
Reportedly, Go Daddy started using Verisign’s DNS for its home page during the event, which would also point to a DNS-based attack.
The outage was so widespread that the words “GoDaddy” and “DNS” quickly became trending topics on Twitter.
The web site downforeveryoneorjustme.com, which does not use Go Daddy, also went down as thousands of people rushed to check whether their web sites were affected.
Some outlets reported that Anonymous, the hacker group, had claimed credit for the attack via an anonymous (small a) Twitter account.
Companies the size of Go Daddy experience DDoS attacks on a daily basis, and they build their infrastructure with sufficient safeguards and redundancies to handle the extra traffic.
This leads me to believe that either yesterday’s attack was either especially enormous, or that somebody screwed up.
The fact that the company has not yet confirmed that external malicious forces were at work is worrying.
Either way it’s embarrassing for Go Daddy, which is applying for three new gTLDs which it plans to self-host.
Several reports have already speculated that the attack could be revenge for one or more of Go Daddy’s recent PR screw-ups.
The company has promised an update later today.
Chinese DDoS knocks 123-reg offline
Customers of major UK domain registrar 123-reg suffered a couple of hours of downtime this afternoon due to an apparently “massive” denial of service attack.
The attack targeted its DNS servers and originated in China, according to a report in The Register.
Users reported sites offline or with spotty availability, but the company managed to mitigate the effects of the attack fairly quickly. It’s now reporting mostly normal service.
123-reg, part of the Host Europe Group, has hundreds of thousands of domains under management in the gTLD space alone.
DNS Made Easy whacked with 50Gbps attack
The managed DNS service provider DNS Made Easy was knocked offline for 90 minutes on Saturday by a distributed denial of service attack estimated at 50Gbps.
This could be the largest DDoS attack ever. The largest I’ve previous heard reported was 49Gbps.
The company, which promises 100% uptime, tweeted that the attack lasted eight hours, but only saw one and a half hours of downtime.
Here are some tweets from the company, starting on Saturday afternoon:
Out of China. Over 20 Gbps…. Don’t really know how big actually. But it’s big. We know it’s over 20 Gbps
Update…. Over 50 Gbps… we think. Since core Tier1 routers are being flooded in multiple cities…..
Trying to organize emergency meeting with all Tier1 providers. We probably have over 50 senior network admins looking into this.
This is flooding the provider’s backbones. By far the largest attack we have had to fight in history.
And, post-attack:
The good: Not everyone was down, not all locations were down at once. The bad: There were temporary regional outages.
Almost back to normal in all locations. Full explanation, details, and SLA credits will be given to all users as soon as possible.
We did not see a 6.5 hour long outage. That would be ultra-long. DDOS attack was 8 hours. Less than 1.5 hours of actual downtime.
It will prove costly. The company’s service level agreement promises to credit all accounts for 500% of any downtime its customers experience.
Quite often in these cases the target of the attack is a single domain. Twitter and Facebook have both suffered performance problems in the past after attackers went after a single user for political reasons.
For a DNS provider, any single domain they host could be such a target. I’d be interested to know if that was the case in this incident.
Recent Comments