EveryDNS Under Botnet DDoS Attack

mellow marsh writes "EveryDNS, sister company to OpenDNS (which runs the PhishTank anti-phishing initiative), has been hit by a massive distributed denial-of-service attack. The attack started sometime Friday afternoon and, from all indications, was targeting Web sites that used free DNS management services provided by EveryDNS. At the height of the DDoS bombardment, EveryDNS was being hit with more than 400mbps of traffic at each of its four locations around the world. From the article: '"We were collateral damage," Ulevitch explained... Because law enforcement is involved, Ulevitch was hesitant to release details of the actual target but there are signs that some of the targets were "nefarious domains" that have since been terminated.'" OpenDNS, which makes use of EveryDNS services, was affected for a time, until they spread their authoritative DNS more broadly. The EveryDNS site is now reporting that the attack is continuing but has been mitigated and is not affecting operations.

Affected; Irony

[Brendtron 5000]

This really made yesterday difficult for me.

My comp sci networking class assignment was on my home server, and I use EasyDNS. Had to bus home and put it on a USB stick. Last day of class, and the end of a particularly brutal week.

Re:Questions?

[Anonymous Coward]

1) Where were you getting hit from (country, areas...)?
2) This might be harder to tell, but what type of clients were hitting you (high speed home users, commercial end servers)?
3) The poster said " 'We were collateral damage,' Ulevitch explained..." How so, and who was the primary target?

Its not all too bad, just 4 days ago, I found out about OpenDNS. Great stuff, gave me a solution to my horrible ISP's (Charter Comm.) DNS servers. And until I saw this post, I didn't know about EveryDNS. Hopefully this will result in more donations.

Re:Questions?

[davidu]

In short, the latter. Nothing is ever righteous when it comes to DDoS. :-)

Open Letter to all Trolls

[tomstdenis]

You're pricks.

Nothing positive or lasting will come out of trolling (and yes: this means you anonymous asshats on /. and in usenet).

So why not be part of a winning team and stop script kiddie'ing around from your parents basement.

Sincerely,
The Rest of the Human Race.

DNSPark, too

[mrmagos]

I use DNSPark [dnspark.net], and they were subject to a DDOS attack earlier this week, too. Are they affiliated with EveryDNS too, or is it coincidence, since they are another cheap/free DNS host?

Re:Questions?

[Beryllium Sphere(tm)]

Bless you for offering to answer questions! That sort of cooperation is indispensable if security is going to improve.

1. How did you manage the response? The one-smart-person-in-charge-who-stays-awake-the-who le-time approach? The small-team-with-independent-responsibilities model? The review-what-happened-at-shift-change model?

2. What tactics worked, and even more important, what didn't work?

3. What sort of agreements should people have in place with their upstream ISP prior to an incident?

4. How intelligent was the attack traffic? Randomized payload? Does anyone bother spoofing addresses any more?

5. Was it a guided attack or a fire and forget? In other words, did the scum make any changes to their tactics in real time as you tried corrective action?

6. What if anything can be done in the first few minutes/hours?

7. If you had to choose between capacity and filtering, which would you choose?