Network Solutions Under Large-Scale DDoS Attack

netizen writes "CircleID is reporting a large-scale DDoS attack affecting all of Network Solutions' name servers for the past 48 hours, potentially affecting millions of websites and emails around the world hosting their domain names on the company's servers. The NANOG mailing list indicates that it is due to a very large-scale UDP/53 DDoS which Network Solutions has also confirmed: 'There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack. We are taking measures to mitigate the attack and speed up queries.""

One must ask...

[Anonymous Coward]

Does Network Solutions have any network solutions?

Re:

[Anonymous Coward]

Does Network Solutions have any network solutions?

Be economical:

Does Network Solutions have any?

hummm

[WillRobinson]

Rebooted the DNS server today cause things seemed funny ... maybe this is what it really was.

Re:hummm

[Anonymous Coward]

Rebooting is what you do to Windows boxes. Unix is what you use for important things like DNS.

mistatement

[WillRobinson]

Actually I did change the forwarders and restarted the service, no reboot, just a bad description.

Re:

[MoogMan]

Way to go generic statement man!

A redundant architecture is what you use for important things like dns, which reduces the impact of the decision of what OS you use.

Many (inexperienced) linux admins like to reboot their boxen too remember

Re:

[nabsltd]

Many (inexperienced) linux admins like to reboot their boxen too remember

I've seen many times when issues required a reboot of a *nix machine.

The latest one I'm dealing with is a machine that completely drops off the network (no pings, etc.). Restarting services has no effect, so we suspect it is hardware, but that doesn't make a lot of sense, because the obvious culprit (the network cards) have physical redundancy and pass all diagnostics. We've also swapped out cards, but still see the same thing. The next step is to move to a card that uses a different driver, but that's s

Re:

[amorsen]

Check for messages about IRQ's being disabled. Do the counters in ifconfig keep counting?

Restarting services is unlikely to help.

Re:

[WillRobinson]

Do not know what your really talking about, been self employed for 8 years. Have a mix of windows and linux systems, which are really for my own needs.

Sorry no job security here. Its do or die.

Re:

[ScrewMaster]

Sorry no job security here. Its do or die.

I had a consulting business for about fifteen years ... yeah, it's do-or-die all right. But as my father used to say (he ran several engineering and consulting businesses in his life) "it's the life if you can handle it."

Re:

[symbolset]

The best opportunity shares space with the greatest risk.

Re:

[innerweb]

"it's the life if you can handle it."

Let me suggest "it's the life if your family can handle it.".

InnerWeb

Re:

[ScrewMaster]

"it's the life if you can handle it."

Let me suggest "it's the life if your family can handle it.".

InnerWeb

Yes and no. I know what you're saying, and generally speaking you're entirely correct. On the other hand, there's a distinct lack of employment stability in the tech world right now. I might add that there are a lot of people who like it that way (mostly upper management types.) Decent benefits are on the way out, job security is a thing of the past: really, few of us are comfortable with our corporate futures.

So yes, you may have a job ... but for how long? At least my father (and I, once I followed in

Slashdotting will help how?

[nwf]

Nice we can link to something in their domain to further add to the DNS traffic! Maybe someone could find a link to download some huge file from their servers, too!

Re:

[narcberry]

Seeing as they are the .com owner (and others), you'd have a hard time NOT impacting their DNS servers.

Re:Slashdotting will help how?

[epiphani]

Hi! You're wrong. That would be Verisign.

This is DNS hosting provided by Network Solutions for people who buy domains from them and choose to have them host the DNS rather than host it themselves.

Thanks for playing.

Re:

[narcberry]

*pssst* Verisign owns Network Solutions owns .com

Re:

[Phroggy]

*pssst* Verisign owns Network Solutions owns .com

That hasn't been true in years.

NSI originally operated the .com/net/org/edu registry and was the sole registrar; after they started allowing competing registrars, Verisign bought NSI, then Verisign spun off NSI as a registrar but kept the registry. NSI now competes on even footing with other registrars (except NSI's customer base dates back to before competition existed).

I'm tired, I'll let somebody else correct my oversimplifications and misstatements. :-)

Fire! Fire! Fire!...OMG! Mushroom clouds!!

[rts008]

Well, in the firearms manufacturing industry it is called Proof Testing [wikipedia.org], and is a good thing.

But you might still want to don some protective gear, maybe find a fallout shelter, etc....*alarms sound* Warning! Servers going critical! Eject the warp core immediately! Warning! Servers g

Re:

[poopdeville]

Maintain a cache of domain records from an authoritative source (which can be itself, in the case of the 11 root servers or internal network domain name servers).

Oh, you were trying to make the GP look dumb. Failure.

Shashi B at Network Solutions

[shashib]

Here is a update that we posted on the Network Solutions Blog (http://cli.gs/GEWSs0) : DNS queries for web sites should be responding normally. Thank you all for your understanding. As always, we will continue to work to take measures to prevent these and other types of technical issues caused by third parties that may impact our customers. Thanks, ShashiB

Re:

[TheSeer2]

A shortened url? On /.?

http://blog.networksolutions.com/2009/potential-latency-on-network-solutions-dns/ [networksolutions.com]

Re:

[symbolset]

Can we blame W32.Conflicker yet or do we have to wait?

Does this DDoS run Linux or OS-X?

Really. We want to know.

Re:

[sloth jr]

It really and truly doesn't matter; ultimately, the cause of this are misanthropes, regardless of the platform used to amplify this attack.

Re:

[symbolset]

Yeah, it's got nothing to do with open ports and autorun enabled by default. That would be crazy talk.

Re:

[kitgerrits]

On a serious matter:

Thanks for stopping by in person for the heads-up.

I Appreciate it.

Re:

[kisielk]

Thanks for informing us on your blog. However, it's a little bit too little too late. We were trying to track down the problem with our network services for a while yesterday before we clued in that it was an NS problem and had to call to verify. How about some way of directly notifying your customers immediately when there are problems like this? A low-volume notification-only mailing list? A more filtered blog? No I'm not interested in reading about "Solutions Out Loud Podcast Episode #6 - âoeThe Ina

Re:

[shashib]

You mean a RSS feed for service notifications only? Good idea. Let me work on that.

perfect

[Anonymous Coward]

A perfect opportunity to use that normally B.S. excuse: "Why, no, I didn't get your email. Must've been because of that DDoS attack on the name servers."

The Beginning?

[RichM]

In theory, this could be the true intentions of Conficker [theregister.co.uk].

Re:The Beginning?

[Rayban]

Damn whoever first started spelling that as "Cornfucker". I keep seeing that now - just waiting to say it accidentally.

Someone should be fired!

[bogaboga]

I thought such attacks were a thing of the past. I am disappointed. But on a serious note, is there a way to completely "immunize" oneself against such attacks? If so, where is the howto?

Re:Someone should be fired!

[ColdWetDog]

is there a way to completely "immunize" oneself against such attacks? If so, where is the howto?

I've heard that unplugging the network cable works OK.

Re:

[timmarhy]

you can't prevent them. they come from legit clients that have been infected with a virus. you can block the traffic by dropping traffic that matches the attach pattern, that's about it.

Re:Someone should be fired!

[Anonymous Coward]

Do you even know what a DDoS attack is?

If you did, you'd realize you can't both operate a service online, and be immune. The two things are mutually exclusive.

The best you can do is slap the attack down when you see one happening. Even that isn't exactly easy. Banning a few million IP addresses tends to be a problem all by itself.

Re:

[Charles Dodgeson]

is there a way to completely "immunize" oneself against such attacks? If so, where is the howto?

I understand that you can purchase protection against such things. The Russian Business Network would be a good place to start. After all, in Russia the criminals protect you.

Re:

[epiphani]

I thought such attacks were a thing of the past. I am disappointed. But on a serious note, is there a way to completely "immunize" oneself against such attacks? If so, where is the howto?

tl;dr: no.

You can do quite a bit to reduce the risk and react well to the situation, but as long as you're on the internet and there are botnets, DDOS is possible. It might even look like too much "normal" traffic. Given this is a DNS attack based on DNS traffic, its quite possible the only reason they know its a DDOS is

Re:

[bogaboga]

I know bad guys have tried to take on Google at some point in its history. Have they ever succeeded to any extent? After all nobody is "immune."

Re:

[inKubus]

Easy:

cat "216.34.181.45 slashdot.org" >> /etc/hosts

Any other questions?

Re:Someone should be fired!

[totally bogus dude]

...and so ends the era of "useless use of cat"; now begins the era of "completely nonsensical attempt to use cat".

Re:

[inKubus]

Haha, my bad.

I've been catting ssh public keys >> into authorized_keys a lot lately..

Re:

[kitgerrits]

There are 2 ways I use cat like that:
1/ 'sudo cat'
2/ as placeholder for another program (awk/grep/head/tail)

I realize that those programs also allow the use of stdin, but It still find if convenient.

Nasty apppend-as-root hack (>>): 'sudo tee -a'

Re:

[cloudmaster]

Other than "why do you have a filename which contains a space" and "what's in that file"? :)

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[passion]

Not quite - you're thinking of older versions. Modern versions of Peakflow are teamed with TMS (Threat Management System), which allow you to mitigate DDoS attacks.

From their website, "Surgical Mitigation Arbor Peakflow SP TMS enables you to automatically detect and surgically remove only the attack traffic while maintaining legitimate business traffic â" thereby ensuring the highest level of customer satisfaction."

http://www.arbornetworks.com/en/threat-management-system.html [arbornetworks.com]

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[something_wicked_thi]

Not if it's him getting fired. Maybe that's what he meant.

Re:

[VeNoM0619]

Someone should be fired!
I thought such attacks were a thing of the past. I am disappointed. But on a serious note,

Notice emphasis. Detect the sarcasm. Calm thyself!

Tuesday

[Ice Wewe]

This happened Tuesday and Network Solutions has restored service, therefore, this story is moot.

http://blog.networksolutions.com/2009/potential-latency-on-network-solutions-dns/ [networksolutions.com]

Downright Gibsonian

[thered2001]

Man, am I getting old. This shit used to be relegated to print sci-fi, now its reported like the weather. The first thing I'm thinking is "will this prevent me from working from home on Monday?"

I'll do to the only thing I can think of: I'll invoke a friendly spirit: "Wintermute! Help us!"

Re:

[franl]

Hmm. Was Wintermute truly friendly? Time to re-read that book.

Re:

[thered2001]

You're right, he wasn't friendly. I seem to recall that, like HAL9000, he was mostly doing what he was programmed to do.

Neuromancer

[rdwulfe]

*spoiler alert* - but if you haven't read these books yet, you're either very young, or not a geek. Wintermute was trying to overcome his programming, which was keeping him and Neuromancer separate. I believe. It's been a long while since I read the books.

Re:Downright Gibsonian

[zappepcs]

You might be getting old, but reporting malicious attacks like the weather is a good thing. Some will get tired of it, but the good thing is that perhaps the average joe public user will become aware of how vulnerable their on-line experience and computer are. Fighting DDoS attacks has been done successfully, but it takes a lot of work, and a lot of hardware. There are a couple of stories on the Internet about such.

The most recent botnet reports show that 100s of millions of PCs are infected with via a MS vulnerability [scmagazineus.com] that was fixed with a patch last year.

We need to see the awareness level increased, and some serious attention to detail on the patch/upgrade cycles.

Re:

[thered2001]

If I had mod points right now, I'd boost your reply beyond mine. My quip elicited your insightful reply...hopefully, it gets the attention it deserves.

Re:

[zappepcs]

It's just a thought, but if schools can start teaching geeks/nerds how to be social [slashdot.org], teaching others how to manage their pc is probably not far off in the future.

Re:

[sashang]

You're not old - your slashdot id is greater than 1 000 000

Re:

[thered2001]

True w/r/t /. but I'm over 22.6 mega-minutes in age. THAT probably makes me older than many here.

Re:

[Cybersonic]

this thread makes me feel ooooooold

Re:

[Culture20]

The first thing I'm thinking is "will this prevent me from working from home on Monday?"

And if it did, would physically being at work be any better? Some people's jobs are heavily dependent on the internet, not work's intranet.

A teen geek reminiscence

[Fantastic Lad]

I was just thinking yesterday about how the humble virus had grown. I was wowing over the Amiga 500 my friend's older brother had bought (with his very own money!), when said older brother caught us creeping around in his room.

But instead of tossing us out like the brats we were, he came in and fired it up to show it off to us in a casual display of older-geek coolness I was deeply impressed by. The guy was hard core, heading off to study at MIT in a few months time. The best I'd ever done for geek-cred

That would explain the surge in DDoS spray packets

[Swordfish]

That would help to explain the surge in this kind of thing in the last few days.

15:07:13.666770 IP 63.217.28.226.17498 > 158.64.65.65.53: 36407+ NS? . (17)
15:07:13.750783 IP 63.217.28.226.61231 > 158.64.65.65.53: 46118+ NS? . (17)
15:07:13.831834 IP 63.217.28.226.44626 > 158.64.65.66.53: 51544+ NS? . (17)

Except that that source IP address doesn't look like a Network Solutions address to me.

Is it possible that there is a DDoS technique where the source IP addresses on DNS packets to 3rd party DNS servers are spoofed so as to generate the appearance of an attack from a different source? I guess that's what they're saying. But it doesn't seem to multiply the power of an attack much. They just get 17 bytes of DNS response from each 17 byte request.

It's all a bit confusing really....

Re:That would explain the surge in DDoS spray pack

[epiphani]

The problem seems to kick in for DNS servers that arent rejecting the queries. Someone is channeling ye 'ole smurfing methods.

They're requesting a list of all DNS root servers. If the server don't reject the query, a 17 byte query becomes a 50k response (or something like that) to the spoofed address.

Re:

[Onymous Coward]

a 17 byte query becomes a 50k response (or something like that)

I haven't tried to figure out the exact numbers, but my tcpdump files of a root NS query and its response have been about 100 and 300 bytes respectively.

Oh, here: dig reports "MSG SIZE rcvd: 300".

Still, a DNS amplification attack. (Not a smurf attack, though that's another reflection/amplifcation attack, but it's specifically with pings.)

Re:

[nairnr]

I saw a whole bunch of requests that my DNS server was rejecting. I think for your computer to have been part of the problem it needed to allow recursive DNS queries for the public. I was watching my logs and banned the IP's when I saw them.

I was getting a lot of messages that looked like named[2476]: client xx.xx.xx.xx#22707: view external: query (cache) './NS/IN' denied

Re:

[Spit]

Don't block the requests, the requester IP is spoofed so that DNS servers which respond with root hints forward them to the innocent party, causing DoS. Vlocking the IP just blocks the innocent party's DNS servers. Just make sure that you don't respond external recusive queries.

Re:

[Glendale2x]

It's a spoof. The attacker sends requests to lots of different nameservers with a spoofed return address. Those servers respond to that address as normal. The target suddenly gets a lot of DNS traffic from all over the place. Instant amplification attack.

(Gross simplification, but it's late and someone else can explain the details.)

Re:

[Lennie]

It's a spoof but not the problem network solutions has/had

Re:That would explain the surge in DDoS spray pack

[Onymous Coward]

It's a reflection attack. Send a small query that requires a bigger answer to a bunch of nameservers. Spoof the source address for the query.

Here's what I'm seeing of this attack [do.un.to].

netsol != isprime

[Anonymous Coward]

what the hell does this have to do with netsol? the traffic from this ddos is originating from isprime and something called "beyond the network inc", both american companies.

Re:

[viscous]

Indeed, this doesn't seem to have any connection to the Network Solutions problem. It looks like another DDoS attack that just happens to be taking place at the same time. There may be some devious connection between the two, but nobody seems to be making that case.

(And of course nothing is "originating from isprime" -- those source addresses are forged.)

Re:

[Cally]

Exactly. The attacker spoofs UDP DNS queries and sends them to third-party DNS servers. They respond to the spoofed, victim's nameservers. The idea is that the attacker sends a small packet which induces a large response ('amplification') from the third party to the victim.

Incidentally when did Network Solutions change their name to "IsPrime"?

Making available legal doctrine means MS must pay!

[Swordfish]

Now correct me if I'm wrong, but if the mafiaa's legal theory on "making available" is right, doesn't that mean that any company which makes available software which is easy to turn into a DoS zombie should be held liable. And the people who let their computers become zombies should be held liable for making their machines available to become zombies.

Not only that, those made-available computers actually _are_ exploited for evil acts.

So aren't the purveyors of dodgy software liable for damage caused by DDoS

Re:Making available legal doctrine means MS must p

[eggman9713]

Except that in many jurisdictions the criminal activity of others cuts off liability. IE if Microsoft provides software, and someone else exploits it, the criminal activity of the third party cuts off liability to Microsoft.

Re:Making available legal doctrine means MS must p

[bigsteve@dstc]

Now correct me if I'm wrong ...

OK.

The RIAA's legal theory is in the context of copyrights and illegal copying. It simply does not apply here. Microsoft own the copyright on their stuff, so they are free to make it available.

Re:

[evanbd]

First, said doctrine is not correct even in the intended context.

Second, just because you can use some of the same words does not mean that your armchair legal theory has anything to do with their legal theory. That said, it is equally correct (which is a nice way of saying wrong).

Re:

[jabithew]

I think it is still an interesting question to consider if there is any liability to Microsoft for damage caused by a virus hosted on their OS.

My instinct is that there isn't, as it is perfectly possible to run Windows virus-free, with varying levels of difficulty. Also, in this case Microsoft made a patch available, so the OS as provided by Microsoft is immune to the attack.

Re:

[shentino]

MS isn't going to be liable until they are, either by law or contract, obliged to third parties not to make an infectable OS.

I'd like resilience to viruses be a required safety feature, much like guards are in heavy machinery, and I would also like lack of said resilience be a case of product liability.

Given how deep MS probably is in the pockets of congressmen, I doubt they'll get any such standard laid upon them.

Comment removed

[account_deleted]

Comment removed based on user account deletion

I wonder if this is related..

[Anonymous Coward]

I wonder if this is related to this http://isc.sans.org/diary.html?storyid=5713 [sans.org]

This is not too hard to solve.

[John Sokol]

http://www.dnull.com/dos/DOS-Block.htm [dnull.com]

**sigh**

Re:

[John Sokol]

So what, it's 2001. Does that somehow make it less valid? If your right your right, 10 minutes or 10 years doesn't change that.

It's my article, and it will work, even it they choose to keep letting things like this happen.

At some point we will have to implement something, but the longer they put it off, the harder it will be to fix later.

Re:

[John Sokol]

Great stuff.
But you prove my point even further then.
  Didn't you...
  So it's even more embarrassing that there are RFC already out there to solve this and they choose not to implement this.

I don't claim to be the first to figure this out.
I didn't even bother to research it, just put my idea out there for what ever it's worth back in 2001.

Citation needed?

[Eunuchswear]

Slasdot sez: [slashdot.org]

CircleID is reporting a large-scale DDoS attack [circleid.com] affecting all of Network Solutions' name servers

And at http://www.circleid.com/posts/20090123_network_solutions_down_ddos_attack/ [circleid.com] we find:

Other sources: UPDATED Jan 23, 2009 7:26 PM PST
[...]
Network Solutions Under Large-Scale DDoS Attack [slashdot.org], Jan.23.2009

...argh! non-halting loop detected! They've ddos'd the web!

Obligatory quote

[Torodung]

A communications disruption can mean only one thing...

Keep your eyes peeled for those Trade Federation landers. [mamselle.ca]

(Yeah, just kidding. Here's the real page. [starwars.com])

--
Toro

Just kidding, here's the REAL link

[Torodung]

http://starwars.wikia.com/wiki/C-9979_landing_craft [wikia.com]

Bet you thought I should turn in my geek card, eh?

--
Toro }B^>

Good

[nurb432]

Netsol sux anyway.

Anyone else notice how they send out notices with the FROM: address forged as the TO address? Most people would get sued for fraud.

Re:

[mattr]

I moved a domain from netsol in January and let me tell you it was like pulling teeth. The non-existent control panel button, the "security" which secures them against you, the sales rep on the phone who passes you on, each person initiating a new sales pitch... only got them to move at all by threatening to report them. I used them for 10 years and knew they were tough to like but never again. FWIW Mom uses GoDaddy, and for hosting I like linode.com or anybody else.

Re:

[nurb432]

I moved away from them 10 years ago and it was a nightmare then too.

I almost lost my domain in the shuffle. Legal threats were required even then. ( they were a virtual monopoly and had you over a barrel )

Look for DNS/SSL/MITM attacks about now...

[DamnStupidElf]

The only obvious reason to DDoS a bunch of DNS servers is if you're going to be doing some cache poisoning and mounting a massive MITM attack, and if you're lucky you recently obtained a trusted intermediate CA via an MD5 collision attack on a lousy root CA like RapidSSL.

Has anyone bothered to petition Mozilla to remove all the offending root CAs with the weakness shown in MD5 considered harmful today [win.tue.nl]?

That explains it

[Jay L]

I'd noticed that all my DNS queries for non-existent domains were actually returning NXDOMAIN, instead of an advertisement...

Re:

[clarkkent09]

Subscribe and you'll see them all the time

Re:

[troll8901]

CmdrTaco should put in blaring sirens (or baring sirens) as well.

Re:

[poopdeville]

You can simulate a blink tag with simple JavaScript. Something like

function blink (on, off) {
      i = 0;
    while (i < 99999) {
        i++;
    }
    on.style("display:none");
    off.style("display:on");
    blink (off, on);
}

Note the tail recursion, for speed.

Re:

[KasperMeerts]

Note the tail recursion, for speed.

A tail recursion is supposed to stop sometime, this is just a (small) memory leak.

Re:

[inotocracy]

Um.. never heard of setTimeout()? Fail.

Re:

[Lord Flipper]

function blink (on, off) {
i = 0;
while (i < 99999) {
i++;
}
on.style("display:none");
off.style("display:on");
blink (off, on);
}

Or this in CSS:

selector.class or ID {text-decoration: blink;}

and call a script on the ie-only css for out-of-it browsers. It'll be nice, someday, to be able to jettison the bulky js and just use the css.

Re:

[troll8901]

So that's you, making my 40Gb/s connection slow!

Now I'm shelling out for 14Tb/s. Money don't grow on trees, you know.

Re:

[cheekyboy]

money is printed infinitely by the federal reserve, because its digital, its 'free', trees cost more ;_)

Re:

[shentino]

I doubt it.

GoDaddy was the one that caved to the kentucky gambling site seizure while NS had balls enough to say no.