EveryDNS Under Botnet DDoS Attack

mellow marsh writes "EveryDNS, sister company to OpenDNS (which runs the PhishTank anti-phishing initiative), has been hit by a massive distributed denial-of-service attack. The attack started sometime Friday afternoon and, from all indications, was targeting Web sites that used free DNS management services provided by EveryDNS. At the height of the DDoS bombardment, EveryDNS was being hit with more than 400mbps of traffic at each of its four locations around the world. From the article: '"We were collateral damage," Ulevitch explained... Because law enforcement is involved, Ulevitch was hesitant to release details of the actual target but there are signs that some of the targets were "nefarious domains" that have since been terminated.'" OpenDNS, which makes use of EveryDNS services, was affected for a time, until they spread their authoritative DNS more broadly. The EveryDNS site is now reporting that the attack is continuing but has been mitigated and is not affecting operations.

COM != NET

[42Penguins]

"The EveryDNS site is now reporting that the attack is continuing but has been mitigated and is not affecting operations." O Rly. I see it reporting a chunky man with bad hair holding an @. Please change link to everydns dot NET to continue the /. DDoS.

Re:COM != NET

[SaDan]

What parent said. The main site is http://www.everydns.net/ [everydns.net] not .com.

Another quality, editor approved Slashdot story. Great job, guys.

correct URL

[barista]

How about linking to the correct url [everydns.net]?

Heh

[davidu]

The site is EveryDNS.Net [everydns.net].

I'll keep it up for Slashdot, let me just move it around a bit. :-)

-david

Re:Poor engineering?

[Anonymous Coward]

No, GP didn't. mbps == millibits. Mbps == megabits. MBps = megabytes. Read GP again, and pay attention.

Questions?

[davidu]

Since I've been getting a lot of questions from folks about EveryDNS, how we've been stable and around so long, how we dealt with this DDoS and how we manage to cover our costs I am writing a response that will probably be posted here on Slashdot tomorrow or Monday to answer all these questions.

If you have questions about this or DDoS in general, feel free to ask them here and I'll make sure to cover them in my response. I'll be writing about what we've seen and what I generally do when it comes to soaking up traffic and how we handled this event in particular. (The short answer: find the smartest people you can to help you and then start taking corrective action)

Thanks!

David Ulevitch

Re:Every DNS, not EasyDNS.

[sirket]

If your upstream provider can't handle 400Mbps of traffic then you're being hosted by a pretty shitty ISP/data-center. It's not like gig uplinks are expensive (even if you only commit to a tiny rate you can generally get gig uplinks). Spread this across 4 or more datacenters and you've got a lot of bandwidth.

Not to mention that networking people generally don't give a shit about bandwidth- it's packets per second that kill routers, not bandwidth. Assuming 100 byte packets that's about 4Mpps- Even a basic 7600 can handle this kind of traffic. Assuming 30 byte packets (can't be smaller than that) you're talking about 15Mpps. Again Even a basic 7600 should be able to handle that- not to mention a Juniper M7i or similar. Most Foundry equipment would laugh at that rate. All of these routers can do ACL's at full packet rates.

That said- other recent DNS attacks exceeded 1.5 Gigabits per second of traffic and were a lot more vicious than the attack being described here.

I'm not knocking EveryDNS- I know what a bitch dealing with a DDoS can be- the problem tends to be that most people aren't ready to deal with it. Using BGP community based nullrouting most service can be restored within seconds of the target IP(s) being identified. That allows admins to keep untargeted systems and services up while the attacked systems are dealt with. The admins can then use the time to locate some/any pattern in the attack or enable the appropriate filtering such as a Cisco Riverguard or similar.

-sirket

Re:solution to DDOS attack

[sirket]

Not quite- It generally works like this:

First off- be prepared for a damned attack and don't wait til it happens. When an attack does come:

1- Identify the target IP address
2- Immediately null-route traffic for that address (preferably using BGP community based null-routing)
This gets the rest of your systems back up and gives you time to work on the problem.
3- Try to identify a pattern in the attacking traffic- use a product from a company like Mazu- or just tcpdump if you're good with sed and awk.
4- If there is a pattern ask the upstream ISP to block based on that pattern (same source port, same source IP, same TTL, whatever). Or block it yourself if you have the router and bandwidth capacity to deal with the attack yourself- though that's generally a waste of your resources.
5- If there is no pattern but the traffic is malformed then enabled a Cisco Riverguard or similar protection device that can filter out malformed traffic at the higher protocol layers. As an alternative, sign up for such a service form a company like Prolexic.
6- Remove your null route and see how you did.
7- If you can't afford a protection service, you can try moving the host/dns records to new IP's. Sometimes the attacks don't follow- sometimes they do. It's often worth a try as it can be done faster than enabling protection services in many cases. In this case leave the old null route in place until the attack stops. Be prepared for the attack to return at any time once they realize what's happened.

Make sure to keep traffic logs for law-enforcement and to share with other ISP's so that they can track down the offending bots.

In the future try to keep your traffic as segregated as possible such that an attack on a single host will not take down too many other services should you need to null-route that address for an extended period of time.

The easiest solution- block all IP addresses assigned to the APNIC region and watch as your site immediately returns to normal. Sadly most of the DDoS's I've seen recently had the majority of their traffic sourced from APNIC addresses.

-sirket

Re:Questions?

[davidu]

4x400mbps == 1200mbps at times.

That's less trivial to filter, especially when your upstream isn't being cooperative. In our case, which you'll read about tomorrow or Monday, we quickly were able to jump onto a network run by some folks with very very high levels of clue; nLayer operated by Richard Steenbergen. Their website is cheesy -- don't let it fool you. They are a seriously run network providing transit across the country to a bunch of other networks. Check routeviews for proof.

-david

Re:solution to DDOS attack

[sholdowa]

'1. Identify the target IP address'
It's a *distributed* attack. That means more than one address. A lot more.

'or just tcpdump if you're good with sed and awk.'
You're going to be able to do this on 1.6Gbit of traffic in realtime? That's good typing.

'The easiest solution- block all IP addresses assigned to the APNIC region and watch as your site immediately returns to normal.'
FUD. This is a botnet attack. Most owned PC's live in the US. It's this kind of thinking that has forced us to run our servers in the US, because as everyone knows, New Zealand is in Asia.

I'm glad you're not supporting our networks (: