Lessons from a DNS based DDOS attack

Today we helped a friend out with a DNS based DDOS attack. These things are awful and bad people do bad things for no real reason.

Today we helped a friend out with a DNS based DDOS attack. These things are awful and bad people do bad things for no real reason. These are good people trying to look after their clients and earn an honest living. I cannot see any reason to try and take their websites down as no one benefits from it. It’s just nasty people and sometimes, engineering can deal with nasty people rather effectively.

What happened was that their domain name’s DNS servers were being flooded with so many requests that the websites were taken off line.

DNS is one of those things that people arent that interested in until things go wrong and then things get pretty urgent rather quickly. The problem here was that the domain name was being hosted by a single DNS server with two IP addresses attached under ns1 and ns2. This single box was not capable of responding to that requests and run the website and so it failed.

What we did was to set up alternative hosting under Amazon Route 53 in the same manner that launch.ly does it. Amazon then gives you four DNS servers to serve your requests from. The interesting part to note is that they are all under different top level domains in different zones of administration adding to the resliency of the DNS network.

We then contacted the domain name provider who redelegated to these four DNS servers and instantaneously, the DDOS attack was over.

Taking down a single box is easy. Taking down a distributed, well engineered and supported system like Amazone Route 53 is more difficult. Additionally, handling security is difficult and it is better to leave it in the hands of someone like Amazon who have a large staff of hardened professionals to look after things.

I’m glad our friends are back up and running and I am glad we use Amazon.

References

by Craig Sullivan
launch.ly

17 Apr 2013