More DDOS Attacks Cause DNS Outages

June 5, 2013 – If you have followed our articles or read information on this site, you probably notice that
we address DDOS attacks a lot.  Most people don’t realize that DNS is just as susceptible,
if not more than the rest of your network.  DNS servers are very easy to take down.

According to sources, there has been a trend of recent DDOS attacks that could be related.
A few domain management and dns hosting providers have had outages that may be linked to
these recent attacks.  The type of attack seems to vary, but the traffic patterns are similar.

EasyDNS, TPP Wholesale, and DNSimple have all reported that they have experienced temporary
outages and issues with their networks on Monday.  TPP saw several attacks targeting their
network over the last few days and took measures of rate limiting dns queries to stop the
attacks. These measures are pretty intense and can tend to cause false positives, thus
preventing legitimate customers from reaching them.  They plan to whitelist the false positives
they find over the coming days to help avoid this issue.

EasyDNS also reported issues Monday of DDOS attacks targeting their servers.  They seem to think
that these attacks are actually targeting their network directly, as opposed to one of their clients.
Their CEO, Mark Jeftovic, reported this scenario as being extremely bad for DNS providers because
they can’t isolate the one customer being attacked, but instead, their whole network is being attacked.

Anthony Eden, Founder of DNSimple, said they suffered an amplification attack that was used to target a
third party network.  They were “flooded with ‘ANY’ queries on several of their domains being hosted by
their DNS, intended to amplify these small queries into much larger ones that will target a specific
network.”

DNS Amplification or DNS Reflection is nothing to take lightly.  These attacks have been around awhile
and can cause major damage to any network.  Basically what happens is queries are sent with a spoofed
source IP address to DNS servers from a ton of zombie machines, which triggers lengthy responses that
are sent by these zombies to the victim’s IP in a very short time-frame.  The goal is to generate enough
traffic to saturate the bandwidth for the victim.

Since these attacks targeted the Authoritative servers, this tells us that the attackers are smart and
put a lot of work into this.  The typical amplification attacks will target open DNS resolvers because
it’s much easier.  Open resolvers will accept dns queries from any servers, whereas authoritative servers
only accept queries from the domains they host.  Therefore, the attackers had to know all the domain
names that the authoritative servers host.

This is just another example of how serious DNS needs to be taken.  It’s not only the backbone of your
online business, but it’s also another entry point into your business.  Protect it.

Recent Reviews

• Marc R on No-IP
• Robert Brennan on DNS Made Easy
• devop on DNSimple
• radock on No-IP
• John M on Dynu Systems
• Narayan on NS1
• Anthony on No-IP
• Norm on Dynu Systems