DNS Made Easy whacked with 50Gbps attack
The managed DNS service provider DNS Made Easy was knocked offline for 90 minutes on Saturday by a distributed denial of service attack estimated at 50Gbps.
This could be the largest DDoS attack ever. The largest I’ve previous heard reported was 49Gbps.
The company, which promises 100% uptime, tweeted that the attack lasted eight hours, but only saw one and a half hours of downtime.
Here are some tweets from the company, starting on Saturday afternoon:
Out of China. Over 20 Gbps…. Don’t really know how big actually. But it’s big. We know it’s over 20 Gbps
Update…. Over 50 Gbps… we think. Since core Tier1 routers are being flooded in multiple cities…..
Trying to organize emergency meeting with all Tier1 providers. We probably have over 50 senior network admins looking into this.
This is flooding the provider’s backbones. By far the largest attack we have had to fight in history.
And, post-attack:
The good: Not everyone was down, not all locations were down at once. The bad: There were temporary regional outages.
Almost back to normal in all locations. Full explanation, details, and SLA credits will be given to all users as soon as possible.
We did not see a 6.5 hour long outage. That would be ultra-long. DDOS attack was 8 hours. Less than 1.5 hours of actual downtime.
It will prove costly. The company’s service level agreement promises to credit all accounts for 500% of any downtime its customers experience.
Quite often in these cases the target of the attack is a single domain. Twitter and Facebook have both suffered performance problems in the past after attackers went after a single user for political reasons.
For a DNS provider, any single domain they host could be such a target. I’d be interested to know if that was the case in this incident.
Vixie declares war on domain name crooks
Bad news for domain name speculators?
Paul Vixie of the Internet Systems Consortium has plans to bring the equivalent of an anti-spam blacklist to the DNS itself.
The Response Policy Zones spec, drafted by Vixie and Vernon Schryver of Rhyolite, is designed to allow ISPs, for example, to block domains based on standardized reputation data.
In this blog post, Vixie writes that the next version of BIND will include the technology. ISC has also made patches available for those who want to test RPZ now.
This kind of technology has been available for mail servers for years, and can be found to an extent in desktop software and search engines, but RPZ would bake it into the DNS itself.
For users behind a recursive name server implementing RPZ, domains with bad reputations would either not resolve or would be redirected elsewhere.
It would not, however, provide a mechanism to wildcard non-existent domain data and bounce surfers to search/advertising pages. Many ISPs already do that anyway.
If you speculate at all in domain names, the opening paragraphs are probably the most interesting part of the post (my emphasis):
Most new domain names are malicious.
I am stunned by the simplicity and truth of that observation. Every day lots of new names are added to the global DNS, and most of them belong to scammers, spammers, e-criminals, and speculators.
I’m sure there’s a fair few law-abiding speculators reading this who won’t be happy being lumped in with criminals and spammers.
Luckily for them, Vixie said that the ISC will limit itself to providing the technology and the specification; it will not act as a reputation service provider.
The ISC is the Microsoft of the DNS, BIND its Windows, so we could expect a fairly broad level of adoption when the technology becomes available.
Vixie’s post, also published at CircleID, is well worth a read. If anything, it certainly goes a way to cement Vixie’s reputation as the grumpy old man of the DNS.
ICANN Brussels – some of my coverage
As you may have noticed from my relatively light posting week, it really is a lot easier to cover ICANN meetings remotely.
The only drawback is, of course, that you don’t get to meet, greet, debate, argue and inevitably get into drunken fist-fights with any of the lovely people who show up to these things.
So, on balance, I think I prefer to be on-site rather than off.
I was not entirely lazy in Brussels this week, however. Here are links to a few pieces I filed with The Register.
Cyber cops want stronger domain rules
International police have called for stricter rules on domain name registration, to help them track down online crooks, warning the industry that if it does not self-regulate, governments could legislate.
ICANN plans to give conditional approval to .xxx, the controversial top-level internet domain just for porn, 10 years after it was first proposed.
Governments mull net censorship grab
Governments working within ICANN are pondering asking for a right of veto on new internet top-level domains, a move that would almost certainly spell doom for politically or sexually controversial TLDs.
ICANN Brussels trending topics: security and control
Security and politicking over control of the domain name system’s critical functions emerged as key memes during the opening ceremony of ICANN’s 38th public meeting this morning, here in Brussels.
In a speech that addressed a few controversial topics, ICANN president Rod Beckstrom responded unapologetically to those who had criticised the fairly alarmist tone of his remarks about DNS security at ICANN 37, three months ago.
Directly addressing his Nairobi comments, Beckstrom said:
You may disagree with what I said, and openness to different viewpoints is what makes our community strong. Some have asked why I said what I did. Simple. I said it because I believe it is the truth. And more than twenty years of experience in risk management have taught me that in addressing highly complex systems, it is better to be more concerned about risk than less.
The ccTLD constituency – led by .uk and .au – had been concerned about Beckstrom’s warning in Nairobi, which was made at a meeting of the Governmental Advisory Committee, because they risked giving governments reason to interfere with their country’s ccTLD.
Beckstrom’s keynote addressed the risk of too much government control over the DNS, embodied currently in rumblings about another International Telecommunications Union power grab, with a call to action for all those who support ICANN’s model.
We must face the fact that governments control these institutions. Given the serious proposals for an alternative to our bottom-up, multi-stakeholder model, we must redouble our efforts to support it if we are to protect the global public interest. All our stakeholders must step up to the plate and defend our common interest.
We will of course work closely with the Governmental Advisory Committee. But we need the active involvement of all stakeholders. We need your help, through every means available to you, to counter the misinformation and ensure that governments understand what is at stake when these issues are debated in the UN General Assembly later this year.
Beckstrom’s sentiments on security were echoed by both European Council President Herman Van Rompuy and, in a recorded address, European Commissioner for competition Neelie Kroes.
Kroes, in particular, seemed keen to marry the ideas of security risks and control over the internet’s crucial policy-making functions.
I am hopeful that the expiry of the IANA contract next year will be turned into an opportunity for more international cooperation servicing the global public interests.
But don’t misunderstand me. The internet’s day to day functioning works well, and I’m the first to say that if it isn’t broken don’t fix it. We all have an interest that this wonderful platform for innovation, entrepreneurship and free expression works perfectly well at a technical level. It is a great adventure that must continue to flourish. Yet, does it mean all is well in the cyber world?
Take the issue of security and resilience. We need to fight against spam, identity theft, phishing and other evolving types of crime on the internet. Both the public and private sectors have a joint obligation to act. And that approach has to go hand in hand with ensuring the internet itself is not vulnerable to any large-scale failure, whether as a result of an accident of a deliberate attack.
As I type, Beckstrom is hosting a panel discussion with Whit Diffie, Paul Mockapetris, Steve Crocker and Dan Kaminsky on DNS vulnerabilities in front of a packed audience.
More WordPress attacks at Go Daddy
The Kneber gang has continued its attacks on Go Daddy this week, again targeting hosting customers running self-managed WordPress installations.
Go Daddy said that several hundred accounts were compromised in order to inject malicious code into the PHP scripts.
“The attack injects websites with a fake-antivirus pop-up ad, claiming the visitor’s computer is infected,” Go Daddy security manager Scott Gerlach blogged.
According to the alarmists-in-chief over at WPSecurityLock, the attacks place a link to a script hosted on cloudisthebestnow.com, a domain registered by “Hilary Kneber”.
The script attempts to install bot software on visitors’ machines.
As I’ve written before, the Kneber botnet has been running since at least December 2009. It generally hosts its malware on domains registered with ICANN-accredited BizCN.com, a Chinese registrar.
Go Daddy said it has contacted the registrar to get the domain yanked. It may have been successfully killed already, but I’m too much of a little girl to check manually.
I must confess, as somebody with a number of WordPress installations on Go Daddy servers, it makes me a little nervous that these attacks are now well into their second month and I still don’t know whether I should be worried or not.
ICANN staff need to get their pee tested
I imagine it’s a pretty hard job, largely thankless, working at ICANN. No matter what you do, there’s always somebody on the internet bitching at you for one reason or another.
The job may be about to get even more irksome for some staffers, if ICANN decides to implement new security recommendations made by risk management firm JAS Communications.
In a report published yesterday, JAS suggests that senior IANA staff – basically anyone with critical responsibilities over the DNS root zone – should be made to agree to personal credit checks, drug screening and even psych evaluations.
To anyone now trying to shake mental images of Rod Beckstrom peeing into a cup for the sake of the internet, I can only apologise.
This is what the report says:
JAS recommends a formal program to vet potential new hires, and to periodically re‐vet employees over time. Such a vetting program would include screening for illegal drugs, evaluation of consumer credit, and psychiatric evaluation, which are all established risk factors for unreliable and/or malicious insider activity and are routinely a part of employee screening in government and critical infrastructure providers.
I’ve gone for the cheap headline here, obviously, but there’s plenty in this report to take seriously, if you can penetrate the management consultant yadda yadda.
There are eight other recommendations not related to stoners running the root, covering contingencies such as IANA accidentally unplugging the internet and Los Angeles sinking into the Pacific.
Probably most interesting of all is the bit explaining how ICANN’s custom Root Zone Management System software, intended to reduce the possibility of errors creeping into the root after hundreds of new TLDs are added, apparently isn’t being built with security in mind.
“No formal requirements exist regarding the security and resiliency of these systems, making it impossible to know whether the system has been built to specification,” the report says.
It also notes that ICANN lacks a proper risk management strategy, and suggests that it improve communications both internally and with VeriSign.
It discloses that “nearly all critical resources are physically located in the greater Los Angeles area”, which puts the IANA function at risk of earthquake damage, if nothing else.
JAS recommends spreading the risk geographically, which should give those opposed to ICANN bloat something new to moan about.
There’s a public comment forum over here.
UPDATE (2010-06-13): As Michael Palage points out over at CircleID, ICANN has pulled the PDF from its web site for reasons unknown.
On the off-chance that there’s a good security reason for this, I shall resist the temptation to cause mischief by uploading it here. This post, however, remains unedited.
Go Daddy plays down “massive” attack claim
Malicious hackers have compromised a number of WordPress installations running on Go Daddy hosting, but the company claims very few customers were affected.
Slashdot carried a story a few hours ago, linking to a blog claiming a “massive” breach of security at the domain name registrar.
(EDIT: as noted in the comments, this blog may itself have been hacked, so I’ve removed the link. You can find it in the comments if you want to take the risk.)
But Go Daddy says the problem is not as widespread as it sounds.
“We received reports from a handful of Go Daddy customers using WordPress their websites were impacted by the script in question,” Go Daddy security chief Todd Redfoot said in a statement.
“We immediately opened an investigation into what happened, how it was done and how many sites were affected,” he said. “The investigation is currently ongoing.”
The attack is certainly not ubiquitous. I host a number of WordPress sites with Go Daddy, including this one, and they all appear to be working fine today.
And a Twitter search reveals no references to an attack today prior to the Slashdot post, apart from the blog it was based on.
That doesn’t prove anything, but when Network Solutions’ WordPress hosting was breached last week there was a lot more tweet noise. That attack had thousands of victims.
For those interested in the details of the attack, this WordPress security blog appears to be the best place to get the nitty-gritty.
Network Solutions under attack again
Network Solutions’ hosting operation is under attack for the second time in a week, and this time it’s definitely not a WordPress problem.
The company has acknowledged that it has “received reports that Network Solutions customers are seeing malicious code added to their websites”, but has not yet released further details.
Sucuri.net, which was intimately involved in the news of the hack against NSI’s WordPress installations last week, blogged that this time the attacks appear to have compromised not only WordPress, but also Joomla-based and plain HTML sites.
Last week’s attacks were eventually blamed on insecure file permissions, which enabled shared-server hosting customers to look at each other’s WordPress database passwords.
But today NSI, one of the top-five domain name registrars, said: “It may not be accurate to categorize this as a single issue such as ‘file permissions’.”
Sucuri said that malicious JavaScript is being injected into the sites, creating an IFrame that sends visitors to drive-by download sites.
It’s a developing story, and not all the facts are out yet.
But it’s clear that NSI has a public relations problem on its hands. Some customers are already using Twitter to declare that they will switch hosts as a result.
And if it’s true, as Sucuri reports, that Google is already blocking some of the affected sites, who can blame them?
WordPress founder criticizes NSI’s security
WordPress founder Matt Mullenweg had a few harsh words for top-five domain registrar Network Solutions today, after a whole bunch of NSI-hosted blogs were hacked over the weekend.
It appears that NSI’s web hosting operation, which includes a one-click WordPress installation service, was failing to adequately secure database passwords on shared servers.
Or, as Mullenweg blogged: “A web host had a crappy server configuration that allowed people on the same box to read each others’ configuration files.”
WordPress, by necessity, stores its database passwords as plaintext in a script called wp-config.php, which is supposed to be readable only by the web server.
If the contents of that file are viewable by others, a malicious user could inject whatever content they like into the database – anything from correcting a typo in a blog post to deleting the entire site.
That appears to be what happened here: for some reason, the config files of WordPress blogs hosted at NSI gave read permissions to unauthorized people.
The cracker(s) who noticed this vulnerability chose to inject an HTML IFrame into the URL field of the WordPress database. This meant visitors to affected blogs were bounced to a malware site.
Mullenweg is evidently pissed that some news reports characterized the incident as a WordPress vulnerability, rather than an NSI vulnerability.
NSI appears to have corrected the problem, resetting its users’ database passwords as a precaution. Anybody making database calls in custom PHP, outside of the wp-config.php file, is going to have to go into their code to update their passwords manually.
Beckstrom: DNS is under attack
ICANN chief Rod Beckstrom has come in for a bit of criticism over “inflammatory” comments he made at the Government Advisory Committee meeting on Tuesday.
The headline quote: “The domain name system is more fragile and vulnerable today than it has ever been. It could stop at any given point in time, literally.”
Beckstrom described a DNS on its knees, then pointed the finger at unspecified nations for DNS abuses allegedly happening within their virtual borders, and said he would be writing to GAC members for more information and advice.
It was part call to arms, part Chicken Little.
If you missed it, here’s a full transcript. (continue reading)
Recent Comments