Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

EveryDNS Under Botnet DDoS Attack

kdawson posted more than 7 years ago | from the man-that-smarts dept.

Security 154

mellow marsh writes "EveryDNS, sister company to OpenDNS (which runs the PhishTank anti-phishing initiative), has been hit by a massive distributed denial-of-service attack. The attack started sometime Friday afternoon and, from all indications, was targeting Web sites that used free DNS management services provided by EveryDNS. At the height of the DDoS bombardment, EveryDNS was being hit with more than 400mbps of traffic at each of its four locations around the world. From the article: '"We were collateral damage," Ulevitch explained... Because law enforcement is involved, Ulevitch was hesitant to release details of the actual target but there are signs that some of the targets were "nefarious domains" that have since been terminated.'" OpenDNS, which makes use of EveryDNS services, was affected for a time, until they spread their authoritative DNS more broadly. The EveryDNS site is now reporting that the attack is continuing but has been mitigated and is not affecting operations.

cancel ×

154 comments

Sorry! There are no comments related to the filter you selected.

puppy (5, Funny)

Feyr (449684) | more than 7 years ago | (#17085578)

/., like kicking a dead puppy.

Re:puppy (1)

TubeSteak (669689) | more than 7 years ago | (#17085772)

This is more like kicking your neighbor's dog, because you saw someone else do it.

Suck it, spammers (0)

Anonymous Coward | more than 7 years ago | (#17085580)

This should be a collective "SUCK IT" to the spammers and phishers out there. Keep it up, EasyDNS!

Re:Suck it, spammers (1)

itsdave (105030) | more than 7 years ago | (#17088038)

everydns and easydns are two seperate dns services.

COM != NET (2, Informative)

42Penguins (861511) | more than 7 years ago | (#17085582)

"The EveryDNS site is now reporting that the attack is continuing but has been mitigated and is not affecting operations." O Rly. I see it reporting a chunky man with bad hair holding an @. Please change link to everydns dot NET to continue the /. DDoS.

Re:COM != NET (1)

VoltageX (845249) | more than 7 years ago | (#17085604)

`tis probably a good thing that /. isn't adding to the DDOS

Re:COM != NET (4, Informative)

SaDan (81097) | more than 7 years ago | (#17085616)

What parent said. The main site is http://www.everydns.net/ [everydns.net] not .com.

Another quality, editor approved Slashdot story. Great job, guys.

Re:COM != NET (-1, Offtopic)

mrmeval (662166) | more than 7 years ago | (#17085740)

I've submitted several stories that have been declined. Now they're begging for stories and I'm not inclined. Besides I want paid to play.

Re:COM != NET (1)

benplaut (993145) | more than 7 years ago | (#17088106)

So you post it far up on the post que in /. Now it'll go down!

Poor engineering? (0)

Anonymous Coward | more than 7 years ago | (#17085592)

At the height of the DDoS bombardment, EveryDNS was being hit with more than 400mbps of traffic at each of its four locations around the world.

I would think that normal DNS operations would generate more than 400 millibits per second of traffic. How poorly designed ARE the EveryDNS sites?

Re:Poor engineering? (1)

techno-vampire (666512) | more than 7 years ago | (#17085646)

...400 millibits per second of traffic...


I would hope so. That would be 400/1000 bits of traffic per second. ITYM Megabits.

Re:Poor engineering? (2, Informative)

Anonymous Coward | more than 7 years ago | (#17085708)

No, GP didn't. mbps == millibits. Mbps == megabits. MBps = megabytes. Read GP again, and pay attention.

Re:Poor engineering? (0)

Anonymous Coward | more than 7 years ago | (#17087942)

I swear... this generation's reading comprehension skills are sooo dead!

Re:Poor engineering? (3, Funny)

Anonymous Coward | more than 7 years ago | (#17086028)

The problem is, EasyDNS could only afford an AOL dialup to put their servers up. On top of that, the "server", is really just an old Pentium MMX with 32megs of RAM running bind on top of cygwin on top of Windows 95. Unfortunately, the admin let his 16 year old sister use the machine to browse MySpace (and who knows what else), so let's just say the machine is running other "services" as well.

lkjljk (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17085594)

Let me introduce myself. I am the president and founder of the Anti everyDNS Association. In the text that follows, I will explain why stopping everyDNS is fundamental to the survival of our society. As this letter will make clear, on several occasions I have heard everyDNS state that its subliminal psywar campaigns are all sweetness and light. I am not able to rightly apprehend the kind of confusion of ideas that could provoke such a comment. What I consider far more important, though, is that everyDNS's behavior might be different if it were told that I find its words to be a perversion of the truth. Of course, as far as everyDNS's concerned, this fact will fall into the category of, "My mind is made up; don't confuse me with the facts." That's why I'm telling you that if the people generally are relying on false information sown by damnable dipsomaniacs, then correcting that situation becomes a priority for the defense of our nation. Those of you who thought that everyDNS was finally going to leave us alone are in for a big surprise, because everyDNS recently announced its plans to condemn innocent people to death. EveryDNS is too lame-brained to read the writing on the wall. This writing warns that I cannot believe how many actual, physical, breathing, thinking people have fallen for its subterfuge. I'm absolutely stunned.

EveryDNS can blame me for the influx of raucous carousers if it makes it feel better, but it won't help its cause any. Should we be concerned that everyDNS wants to use both overt and covert deceptions to batten on the credulity of the ignorant? I'll answer that question for you: Yes, we should unmistakably be concerned, because it has remarked that it is a spokesman for God. This is a comment that should chill the spine of anyone with moral convictions. To make sure you understand, I'll spell it out for you. For starters, if Fate desired that everyDNS make a correct application of what it had read about cronyism, it would have to indicate title and page number, since the barbaric cretin would otherwise never in all its existence find the correct place. But since Fate does not do this, to believe that the rules don't apply to everyDNS is to deceive ourselves. Within the deleterious milieu of absenteeism exists the opportunity for everyDNS to call evil good and good evil. But let's not quibble about that. On the other hand, everyDNS's most progressive idea is to portray sinister criticasters as common criminals. If that sounds progressive to you, you must be facing the wrong way.

What I'm saying is this: everyDNS's "I'm right and you're wrong" attitude is pestiferous, because it leaves no room for compromise. EveryDNS has a natural talent for complaining. It can find any aspect of life and whine about it for hours upon hours. EveryDNS's eccentricity is surpassed only by its vanity. And its vanity is surpassed only by its empty theorizing. (Remember its theory that it is a bearer and agent of the Creator's purpose?) In the end, everyDNS is a big fan of vigilante justice.

Affected; Irony (2, Interesting)

Brendtron 5000 (973294) | more than 7 years ago | (#17085606)

This really made yesterday difficult for me.

My comp sci networking class assignment was on my home server, and I use EasyDNS. Had to bus home and put it on a USB stick. Last day of class, and the end of a particularly brutal week.

Re:Affected; Irony (2, Funny)

vk2 (753291) | more than 7 years ago | (#17085840)

There is your free lesson in redundancy [zoneedit.com]

Re:Affected; Irony (1)

Brendtron 5000 (973294) | more than 7 years ago | (#17087296)

Oops, by EasyDNS I mean EveryDNS.

Re:Affected; Irony (1)

Technician (215283) | more than 7 years ago | (#17087652)

Had to bus home and put it on a USB stick. Last day of class, and the end of a particularly brutal week.


Save some time and punch in the IP address instead of a URL and skip the DNS lookup.
It's your server. Do you know your IP address?

Re:Affected; Irony (0)

Anonymous Coward | more than 7 years ago | (#17087828)

Its quite possible that his computer is on a dynamically assigned IP, and is using some sort of dynamic dns, no?

Re:Affected; Irony (1)

Technician (215283) | more than 7 years ago | (#17088070)

Its quite possible that his computer is on a dynamically assigned IP, and is using some sort of dynamic dns, no?

Yes, however many ISP's do not reassign IP's very often except those using PPPOE which may "dial up quite often"

correct URL (3, Informative)

barista (587936) | more than 7 years ago | (#17085618)

How about linking to the correct url [everydns.net] ?

Re:correct URL (2, Insightful)

Anonymous Coward | more than 7 years ago | (#17085622)

Well, if they are under a DDoS attack, there is no need to add salt to their wounds.

Does that mean (1)

Progman3K (515744) | more than 7 years ago | (#17085670)

That while they attack them there'll be less spam?

Heh (5, Informative)

davidu (18) | more than 7 years ago | (#17085690)

The site is EveryDNS.Net [everydns.net] .

I'll keep it up for Slashdot, let me just move it around a bit. :-)

-david

Re:Heh (5, Funny)

Anonymous Coward | more than 7 years ago | (#17086126)

You must be new...oh

Re:Heh (1)

fm6 (162816) | more than 7 years ago | (#17086756)

I have to ask: do you really make as living off of voluntary payments? Or do you have other revenue streams?

Link To Them (2, Funny)

Iriestx (1033648) | more than 7 years ago | (#17085692)

Nothing helps out a site currently under a DDoS attack like being linked to on the front page of /.

This is nothing short of organized crime (1, Troll)

i kan reed (749298) | more than 7 years ago | (#17085706)

Like people who kill attorneys willing to prosecute those in the mafia. If any phishers can be found, I hope they get jailed for life.

Re:This is nothing short of organized crime (1)

crush (19364) | more than 7 years ago | (#17085862)

It looks like this is nothing to do with phishers/spammers trying to attack phish tank. It's a vigilante action against "nefarious sites", whatever the fuck those are. It explains the sudden burst in "lame server" messages I saw in my logs anyway. I hadn't realised how many people were using EasyDNS.

Questions? (5, Informative)

davidu (18) | more than 7 years ago | (#17085718)

Since I've been getting a lot of questions from folks about EveryDNS, how we've been stable and around so long, how we dealt with this DDoS and how we manage to cover our costs I am writing a response that will probably be posted here on Slashdot tomorrow or Monday to answer all these questions.

If you have questions about this or DDoS in general, feel free to ask them here and I'll make sure to cover them in my response. I'll be writing about what we've seen and what I generally do when it comes to soaking up traffic and how we handled this event in particular. (The short answer: find the smartest people you can to help you and then start taking corrective action)

Thanks!

David Ulevitch

Re:Questions? (3, Insightful)

TubeSteak (669689) | more than 7 years ago | (#17085796)

Because law enforcement is involved, Ulevitch was hesitant to release details of the actual target but there are signs that some of the targets were "nefarious domains" that have since been terminated.
What does that mean?
Was this a 'righteous' attack on malicious websites?
Or just some intramural warfare by one nefarious group upon another?

Re:Questions? (4, Interesting)

davidu (18) | more than 7 years ago | (#17085882)

In short, the latter. Nothing is ever righteous when it comes to DDoS. :-)

You must be new here (1)

TubeSteak (669689) | more than 7 years ago | (#17086262)

Nothing is ever righteous when it comes to DDoS.
I feel compelled to come to /.'s defense:
A Slashdotting is always Righteous :op


/Don't hate me because my UID is prime

Re:You must be new here (2, Funny)

SaDan (81097) | more than 7 years ago | (#17086444)

Don't hate the guy you replied to because his UID is freakin' 18!!! :^)

Re:You must be new here (1)

daverabbitz (468967) | more than 7 years ago | (#17087300)

But 18 isn't prime?

Re:Questions? (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17085834)

1) Where were you getting hit from (country, areas...)?
2) This might be harder to tell, but what type of clients were hitting you (high speed home users, commercial end servers)?
3) The poster said " 'We were collateral damage,' Ulevitch explained..." How so, and who was the primary target?

Its not all too bad, just 4 days ago, I found out about OpenDNS. Great stuff, gave me a solution to my horrible ISP's (Charter Comm.) DNS servers. And until I saw this post, I didn't know about EveryDNS. Hopefully this will result in more donations.

Re:Questions? (1)

daeg (828071) | more than 7 years ago | (#17085870)

You may not be able to disclose this, but how many zones do you support and under what type of operating environment (OS, DNS software)? You often see debates of statistics of which DNS can more easily handle a lot of traffic, but your service has another problem on top of bandwidth: volume of zones. Have you experimented with the various packages and setups?

Re:Questions? (1)

Peter Cooper (660482) | more than 7 years ago | (#17086040)

The stats are on the front page of their site:

Global Stats:
Accounts: 62357
Domains: 103552
Records: 292615

The implementation details are in the FAQ and About. Without bothering to read them again, I think they use a modified tinydns.

Re:Questions? (1)

daeg (828071) | more than 7 years ago | (#17086626)

I'll have to check again when this has passed, I couldn't get pages to load at work. Thanks.

Re:Questions? (1)

saleenS281 (859657) | more than 7 years ago | (#17086244)

I don't want this to come out the wrong way, but I know it'll probably get me flamed so I'll just spit it out. How exactly do you manage to go down from *only* 400Mbit/sec? No offense but that's not even a drop in the bucket in 2006 where it's commonplace to have a gigabit line running into one server. You guys really need to step back and take a look at your infrastructure if that's all it takes to go down. I realize this is somewhat a rhetorical question, to give you something easier to answer: What is your current infrastructure (although you may not want to say as it would give information to future attackers), and do you have a plan in place so that you can withstand what is in reality a tiny attack in the future?

Re:Questions? (1)

Dryanta (978861) | more than 7 years ago | (#17087064)

No, it is NOT common for anything not incredibly critical to be on a gige line. Some people can afford tier 1 colo centers, most cannot. Even if you can afford the gige pipe, you most likely cannot afford the overage on your commit with all that traffic you have not expected and engineered coming at you. I have been dossed before, and it causes outages and huge bills.

Re:Questions? (3, Informative)

davidu (18) | more than 7 years ago | (#17087268)

4x400mbps == 1200mbps at times.

That's less trivial to filter, especially when your upstream isn't being cooperative. In our case, which you'll read about tomorrow or Monday, we quickly were able to jump onto a network run by some folks with very very high levels of clue; nLayer operated by Richard Steenbergen. Their website is cheesy -- don't let it fool you. They are a seriously run network providing transit across the country to a bunch of other networks. Check routeviews for proof.

-david

Re:Questions? (1)

walt-sjc (145127) | more than 7 years ago | (#17088170)

Our colo ISP (in San Jose) uses nLayer, and we ran into a problem where Verizon had a broken route to our east coast office for several weeks (looping between two Verizon routers.) Verizon was totally non-responsive, so nLayer manually advertised an alternate route that got things flowing again within a few minutes of reporting the problem.

As a sidenote, everydns hosts macports.org which was affected by the DDOS. Even though macports also had two other working DNS servers besides the 4 from everydns, I had to manually query them to get the IP and use the IP instead. Having multiple DNS servers does not give you as much redundancy as it really should. :-(

Re:Questions? (4, Interesting)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17086496)

Bless you for offering to answer questions! That sort of cooperation is indispensable if security is going to improve.

1. How did you manage the response? The one-smart-person-in-charge-who-stays-awake-the-who le-time approach? The small-team-with-independent-responsibilities model? The review-what-happened-at-shift-change model?

2. What tactics worked, and even more important, what didn't work?

3. What sort of agreements should people have in place with their upstream ISP prior to an incident?

4. How intelligent was the attack traffic? Randomized payload? Does anyone bother spoofing addresses any more?

5. Was it a guided attack or a fire and forget? In other words, did the scum make any changes to their tactics in real time as you tried corrective action?

6. What if anything can be done in the first few minutes/hours?

7. If you had to choose between capacity and filtering, which would you choose?

Re:Questions? (0)

Anonymous Coward | more than 7 years ago | (#17086640)

I didn't even know EveryDNS existed until this. I really need a secondary DNS servers for my domain, and most places charge way too much for a simple service.

Unfortunately, your setup page to use EveryDNS as a secondary is broken, so I'm out of luck for now. Pls fix, will donate.

Re:Questions? (1)

IO ERROR (128968) | more than 7 years ago | (#17087612)

My domain whose DNS is hosted at everydns.net suffered briefly during this attack, but I didn't see any major problems. All the mail came through, for instance.

They never anticipated Windows. (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17085728)

Kahn, Cerf, and the other developers of the Internet did a fantastic job of coming up with an extremely reliable, fault-tolerant system. The global scale of the Internet is in itself amazing, let alone the technological genius of it. Yet they likely never anticipated what we today refer to collectively as "Microsoft Windows". But when dealing with very high-quality systems like VMS, Bell Labs/AT&T UNIX, BSD UNIX, CTSS and ITS, it's easy to see how they did not consider the extremely negative effect that shitty, easily-compromised operating systems like Windows could have.

Re:They never anticipated Windows. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17086032)

I'm no MS fan, but it is worth noting that most of the OS's you mention were even less secure than Windows at the time the internet was being developed.

The difference is that very few people knew the exploits and fewer still were in a position to actually use them.

What in the fuck are you talking about, son? (0)

Anonymous Coward | more than 7 years ago | (#17086702)

By the late 1970s and early 1980s, VMS was already being used in a great number of locations. Its security was tested daily, and it proved to be rock-solid. That's why many companies still use it even today for their most essential data processing tasks.

I'd hardly suggest that the TCP/IP implementation of BSD was "insecure", even during its earlier releases. It was incorporated into so many other products, including SVR4 and Windows, mostly due to its extremely high quality. BSD itself was one of the most secure systems ever implemented. If it weren't for the excellent quality of the BSD codebase, we likely would never have seen a system as completely, and almost obscenely, secure as OpenBSD. Were it not for the tremendous earlier work at Berkeley, Theo et al. would have had little to build on.

There's no reason why Microsoft could not have built upon the knowledge and experience gained while developing truly secure systems like VMS and BSD UNIX. Hell, they had the main developer of VMS working for them, and they borrowed significant BSD-derived code. Then again, only Microsoft can take truly excellent software and experience, and pervert it into a horribly insecure product.

Re:What in the fuck are you talking about, son? (1)

sirket (60694) | more than 7 years ago | (#17086760)

First off- by all accounts Windows NT borrowed heavily from VMS.

Secondly, the Morris worm compromised _Unix_ systems- not windows boxes. I loathe Windows but please don't pretend Unix doesn't have it's own sins. The difference is the Unix folks tend to learn from their mistakes and the Windows folks don't.

-sirket

Real ripple effects, even from this small event. (5, Insightful)

ScentCone (795499) | more than 7 years ago | (#17085830)

A client (a pretty large retail chain) was using EveryDNS for forward lookups to the mail server's A record. Mail they were sending out started to bounce because receiving mail servers weren't happy when trying to validate the sending box. In once case, a vital piece of mail sent to a state taxing authority couldn't get through on a month-end calendar deadline, causing much grief. Yes, alternate communcations channels are always an option, but it wasn't immediately clear why the two mail servers in question appeared to be hating each other.

Worse, the state government box's spam filtering appliance blacklisted the retailer's server, and a third party admin had to get involved to free things up. Quite a mess.

But the real lesson? People who say that a "cyber attack" couldn't really hurt the economy are wrong, wrong, wrong. This stuff can be really disruptive, and this was a pissant little scaled-down example. No major damage, but a lot of thrashing around, untold manhours of lost productivity, and (in the case of the anecdote in question, involving just one retail company), probably some tax fines which will require much tail chasing to get waived once the the story is clearly told, assuming the state government in question is feeling sporting about it.

Re:Real ripple effects, even from this small event (1)

bky1701 (979071) | more than 7 years ago | (#17085960)

Your "ripple effect" sounds more like bad code on the side of the sites being effected. The protocol shoud be secure on a technical level and not rely on laws to protect it, because no matter how fascit you want the internet to be, you can never control it all.

I could cause a lot more problems and not do anything illegal. Shoud those acts be illegal because of a butterfly effect caused by bad programming? Get real, please.

Re:Real ripple effects, even from this small event (1)

ScentCone (795499) | more than 7 years ago | (#17086002)

Shoud those acts be illegal because of a butterfly effect caused by bad programming? Get real, please.

If by "bad programming" you mean: the DDoS attack on the name servers was working, and thus a receiving mail server couldn't decide whether to trust another party's sent message... then, sure. Except that's not bad programming "on the site" (as you put it), is it? No. It's a vulnerability in using DNS in the first place. The only thing that would have prevented that would have been sticking with good old IP addresses for everything. But then, what stops a massive bot-net army from launching a DDoS attack against an IP address? Prosecution against the people who do it is at least somewhat helpful.

Re:Real ripple effects, even from this small event (1)

bky1701 (979071) | more than 7 years ago | (#17087038)

DOS attacks are easy to pervent. And in this case, at least with your example, it could have been handled on the DNS's side server easy, had they known what they were doing. Stop hiding behind law to justify technical failures, the internet is survival of the fittist and that's just the way it belongs. (And lets not try to discuss how, if they can carry this out, you are going to catch them. It's pointless.)

incompetence effects, not ripple effects (3, Insightful)

SuperBanana (662181) | more than 7 years ago | (#17086064)

In once case, a vital piece of mail sent to a state taxing authority couldn't get through on a month-end calendar deadline, causing much grief.

Maybe a)it shouldn't be left until the deadline and b)sent via email, if it's so damn important.

And maybe you not tell clients to use a free DNS hosting service as their sole DNS provider...

Re:incompetence effects, not ripple effects (1)

ScentCone (795499) | more than 7 years ago | (#17086100)

Maybe a)it shouldn't be left until the deadline and b)sent via email, if it's so damn important.

Hey! I don't do management consulting for their accounting people. But sometimes this sort of thing tends to have that effect, once the dust settles.

And maybe you not tell clients to use a free DNS hosting service as their sole DNS provider...

Not my call on this one either. Our team is involved on a peripheral project, and this part of their infrastructure was in place long before we got on board. We've already updated their domain records to name additional name servers on other networks, which spreads the pain. They're learning.

Re:Real ripple effects, even from this small event (1)

silas_moeckel (234313) | more than 7 years ago | (#17086110)

Who is the bright boy that put a spam filter on a a drop box for important tax info. This is the digital equivalent of the government refusing to accept mail and claiming you missed the deadline.

Re:Real ripple effects, even from this small event (1)

ScentCone (795499) | more than 7 years ago | (#17086290)

Who is the bright boy that put a spam filter on a a drop box for important tax info. This is the digital equivalent of the government refusing to accept mail and claiming you missed the deadline.

I believe the official policy is that things are supposed to take place by postal mail, and FAX by fallback. But folks at both ends had been swapping mail for months with no problem (and more reliably AFTER the spam filtering went in), and got seduced into assuming it would always work. That's what happens, I see it all the time.

They deserve the grief (3, Insightful)

Pig Hogger (10379) | more than 7 years ago | (#17086202)

In once case, a vital piece of mail sent to a state taxing authority couldn't get through on a month-end calendar deadline, causing much grief.
That grief is well deserved. E-mail is **NOT** reliable, and delivery is **NOT**, **CAN NOT** and **WILL NOT** be guaranteed. So anyone stupid enough to entrust "vital" communication to e-mail rightly deserves to have his arse whipped real good.

Myself, a month ago I missed an opportunity to collaborate on a TV miniseries. Why? Because the moron who asked me for my collaboration absolutely trusted e-mail, and it was **THE** message that bounced thanks to a network glitch, and that moron didn't think of calling me on the **PHONE**. Well, if they were stupid enough to trust e-mail like that, they probably would have made a crappy miniseries anyways.

For casual communications, there is e-mail.

For vital ones, there is registered mail, fax or phone.

Re:They deserve the grief (1)

ScentCone (795499) | more than 7 years ago | (#17086282)

For casual communications, there is e-mail.

Yup. But when (in the case I'm citing) an accounting type and a person at a tax office have been happily swapping mail for many months, with little or no lag, they tend to get lulled into a sense of false reliability. And that's what happens.

"nefarious domain" is a loaded and subjective term (5, Insightful)

plasmacutter (901737) | more than 7 years ago | (#17085920)

What is "nefarious"?

to some.. the pirate bay and allofmp3 are "nefarious domains"..

to others "www.f**Ktimewarner.com" and "walmartsucks.com" are "nefarious domains"

and to others "www.wikipedia.org" and "www.aclu.org" are "nefarious domains".

I have a lot of trouble with the idea that DDOS attacks were being carried out in (apparently successful) attempts to wipe domains off the face of the earth..

this implies the attackers had no legal standing to take those domains offline.. then they call them "nefarious" after the fact.

Re:"nefarious domain" is a loaded and subjective t (0)

Hellasboy (120979) | more than 7 years ago | (#17086736)

dictionary.com defines nefarious as: "Infamous by way of being extremely wicked."

What exactly being wicked would depend on the situation (as that's a subjective term) and considering that they are trying to take down websites via DDOS attacks, I'd call that wicked.

Although, I don't understand your last statement. Is it wrong to call them nefarious after the fact? Wouldn't you call a person a murderer after they murder someone?

Re:"nefarious domain" is a loaded and subjective t (1)

plasmacutter (901737) | more than 7 years ago | (#17086816)

I think you read that summary wrong..

the DDOS attacks were supposedly against "nefarious domains" which this DNS service then took down, bowing to these cyberterrorist actions.. and after taking them down responded to questions by saying their attackers were actually attacking "nefarious" websites.

What's the motive? (1)

Jotii (932365) | more than 7 years ago | (#17085952)

What reason could there be for botnet owners to attack EveryDNS? I can't see that they'd gain anything from it.

Re:What's the motive? (2, Insightful)

ScentCone (795499) | more than 7 years ago | (#17086068)

What reason could there be for botnet owners to attack EveryDNS? I can't see that they'd gain anything from it.

It's an indirect attack against people who use EveryDNS to get traffic to their own sites (or mail servers, etc). If you ran, say, an online casino, and your main competition for a particular type of customer happened to have EveryDNS doing their forward lookups... and you could shut down your competition for at least a full business day by torpedoing the DNS they need to be seen - presto, done. EveryDNS wasn't the target, their customers were the target.

Botnet? Cal it what it is! (4, Insightful)

Chris Tucker (302549) | more than 7 years ago | (#17085984)

Compromised Windows machines network.

Where are the class action suits against Microsoft for continually producing such flawed software that makes it easy to 0wn a box?

If it wasn't for 20 some years of MS indifference towards security, there wouldn't be botnets like this, being used for DDOS attacks and forwarding billions of spams a day.

Re:Botnet? Cal it what it is! (1)

ewl1217 (922107) | more than 7 years ago | (#17086104)

They're right here. [slashdot.org]

Re:Botnet? Cal it what it is! (0)

NineNine (235196) | more than 7 years ago | (#17086142)

If it wasn't for 20 some years of MS indifference towards security, there wouldn't be botnets like this, being used for DDOS attacks and forwarding billions of spams a day.

Uh, wrong. No software is completely secure, especially something as complicated as an operating system. This would still be happening, except it would be on Unix/OS2/Apple boxes instead of Windows. Get over it.

Re:Botnet? Cal it what it is! (1)

tomstdenis (446163) | more than 7 years ago | (#17086186)

That's because Windows is so "user friendly." Unfortunately, what most users want to do with their computers is TOTALLY INSECURE.

This of course doesn't help the remote exploits, buffer overflos [in file formats] and other problems that are totally native to MS [and go unfix for random amounts of time]. Not that bugs don't happen in the OSS world, but they tend to be fixed faster, and a larger portion of OSS users are more aware of secure computing practices [e.g. not running as root, not opening every f'ing attachment, not running IE...].

If people just learned thing one about their computers they wouldn't be such easy pray for every script kiddie asshat loser troll with a cause.

And of course, folk like MSFT are just all too happy to oblige their ignorance.

Tom

Re:Botnet? Cal it what it is! (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17086514)

Since when is 'not user friendly' a feature? This smells like Microsoft marketing, but it's coming from OSS people now. We don't let people who aren't geeks use our software.

Me, I'm a geek who uses Windows. I do computer fixes for a living, and I need to be intimately familiar with the systems my clients use, which are almost 100% Microsoft. Yet, despite running such 'inherently flawed software,' I haven't had a virus/trojan on one of my boxes. Ever. Turns out geeks are secure, regardless of what OS they use. We know how to put up firewalls, install AV software, recognize scams and evil email attachments.

News flash: Ignorant people are easy to take advantage of. The fact that MS is user friendly enough to let stupid users on isn't a reason to bash them. There are many reasons, but not that.

*Waits to get modded -1 [Microsoft]*

Re:Botnet? Cal it what it is! (1)

Phroggy (441) | more than 7 years ago | (#17086410)

Linux botnets don't get as much publicity, but they do exist; my own server fell prey once when I did something stupid, and I only found out about it when I got a spam complaint forwarded by my ISP.

Re:Botnet? Cal it what it is! (0, Flamebait)

Chris Tucker (302549) | more than 7 years ago | (#17086896)

However, compared to the tens of thousands of 0wned Windows boxes, 0wned Linux boxes are what, a fraction of a percent of the Windows zombies?

And you weer able to fix it. Try fixing a zombiefied Windows machine, short of pulling the infected drive and replacing it with a fresh, virgin drive.

Which will be 0wned after 30 minutes connected to the Net, due to the POS that is Windows, coupled with the ignorance of the bog-standard Windows luser.

Re:Botnet? Cal it what it is! (1)

Chris Tucker (302549) | more than 7 years ago | (#17086906)

"And you weer able to fix it."

What is this, "The Preview Button", you speak of?

These words confuse me!

Re:Botnet? Cal it what it is! (0)

Anonymous Coward | more than 7 years ago | (#17087934)

was this, "the preview button", you speak of broken when you published your website? DOWN WITH BUSH HURRR.

Re:Botnet? Cal it what it is! (0)

Anonymous Coward | more than 7 years ago | (#17087118)

> And you weer able to fix it. Try fixing a zombiefied Windows machine, short of pulling the infected drive and replacing it with a fresh, virgin drive.

Let's not forget where the term "rootkit" comes from. Any compromised machine has to be scraped, period.

Re:Botnet? Cal it what it is! (2, Insightful)

Shados (741919) | more than 7 years ago | (#17087264)

Well, considering that #1 if Linux had the market share Windows has, it would be a bigger chunk, the fact is most Windows viruses are probably caught by users -willingly- installing crap on their computers. If you're a retarded user, and you see a "L33t KDE icon package!" and follow instructions that tell you to login as root and run an executable, your box will get owned either way. Sure, Linux takes more steps to prevent this, but still.

Re:Botnet? Cal it what it is! (1)

Phroggy (441) | more than 7 years ago | (#17087384)

And you weer able to fix it. Try fixing a zombiefied Windows machine, short of pulling the infected drive and replacing it with a fresh, virgin drive.

What do you think antivirus and antispyware apps do? On Linux I had to track it down by hand.

Which will be 0wned after 30 minutes connected to the Net, due to the POS that is Windows, coupled with the ignorance of the bog-standard Windows luser.

Windows XP Service Pack 2 won't be 0wned just by connecting it. And if you're gonna throw user ignorance into the mix... Try creating an account with a username like "temp" and a simple password like "temp123" on an average run-of-the-mill non-firewalled Linux box, and see how long it takes.

Re:Botnet? Cal it what it is! (0)

Anonymous Coward | more than 7 years ago | (#17086556)

Oh for pete sake, the problem isn't just microsoft. The people using the compromised computers just don't care/aren't knowlageble enough to stop it. With remote exploitable holes in OpenSSH I would think it was apparent that every computer system on earth has security holes from time to time. If you never patch, and don't care when your system has obviously been pwned, then you too can be part of a botnet.

Re:Botnet? Cal it what it is! (2, Insightful)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17087034)

Do we know that the botnet was the result of remote exploits and not the result of users explicitly downloading software that happened to be Trojanized? We can blame Microsoft for opening ports without need, having insecure software listening to those ports, and for making drive-by downloads possible. But if someone just insists on installing dancing cursors or weather forecasts, that's not Microsoft's fault.

Open Letter to all Trolls (4, Interesting)

tomstdenis (446163) | more than 7 years ago | (#17085994)

You're pricks.

Nothing positive or lasting will come out of trolling (and yes: this means you anonymous asshats on /. and in usenet).

So why not be part of a winning team and stop script kiddie'ing around from your parents basement.

Sincerely,
The Rest of the Human Race.

Re:Open Letter to all Trolls (0)

Anonymous Coward | more than 7 years ago | (#17086350)

I find two things funny about the parent post. First it's modded troll. Second the guy with the mod points was apparently a troll that responded negatively to the anti-troll sentiment.
Hilarity ensues. :-P

Stupid Me... (2)

ewl1217 (922107) | more than 7 years ago | (#17086012)

Did anybody else read this as "Every DNS Under Botnet DDoS Attack"?

Re:Stupid Me... (1)

EricJ2190 (1016652) | more than 7 years ago | (#17086194)

That would have to be one massive attack!

Re:Stupid Me... (0)

Anonymous Coward | more than 7 years ago | (#17087210)

Yes, it's not your fault though, my mind put a space there simply because I'm so used to correcting spelling/punctuation on slashdot that I don't even think about it.

solution to DDOS attack (0)

Anonymous Coward | more than 7 years ago | (#17086106)

1. Turn off the router
2. Turn on the TV and watch Oprah.
3. Turn the router back on before going home
4. Laugh all the way to the bank

Re:solution to DDOS attack (5, Informative)

sirket (60694) | more than 7 years ago | (#17086882)

Not quite- It generally works like this:

First off- be prepared for a damned attack and don't wait til it happens. When an attack does come:

1- Identify the target IP address
2- Immediately null-route traffic for that address (preferably using BGP community based null-routing)
This gets the rest of your systems back up and gives you time to work on the problem.
3- Try to identify a pattern in the attacking traffic- use a product from a company like Mazu- or just tcpdump if you're good with sed and awk.
4- If there is a pattern ask the upstream ISP to block based on that pattern (same source port, same source IP, same TTL, whatever). Or block it yourself if you have the router and bandwidth capacity to deal with the attack yourself- though that's generally a waste of your resources.
5- If there is no pattern but the traffic is malformed then enabled a Cisco Riverguard or similar protection device that can filter out malformed traffic at the higher protocol layers. As an alternative, sign up for such a service form a company like Prolexic.
6- Remove your null route and see how you did.
7- If you can't afford a protection service, you can try moving the host/dns records to new IP's. Sometimes the attacks don't follow- sometimes they do. It's often worth a try as it can be done faster than enabling protection services in many cases. In this case leave the old null route in place until the attack stops. Be prepared for the attack to return at any time once they realize what's happened.

Make sure to keep traffic logs for law-enforcement and to share with other ISP's so that they can track down the offending bots.

In the future try to keep your traffic as segregated as possible such that an attack on a single host will not take down too many other services should you need to null-route that address for an extended period of time.

The easiest solution- block all IP addresses assigned to the APNIC region and watch as your site immediately returns to normal. Sadly most of the DDoS's I've seen recently had the majority of their traffic sourced from APNIC addresses.

-sirket

Possible Target? (1)

Black-Six (989784) | more than 7 years ago | (#17086184)

After reading the updated article at Security Watch (http://securitywatch.eweek.com/exploits_and_attac ks/everydns_opendns_under_botnet_ddos_attack.html) , I'm begining to think that the target of the attack was Phish Tank itself. Why else would a hacker or hackers launch such a large scale assault on one the worlds largest free DNS providing groups if only to knock them offline for only a few hours? I think that the domains in question are just cover for the attackers attempt at taking Phish Tank offline, i.e. divert System Admins attention and resources, backdoor you way into the Phish tank server, upload botnets and virus, then push your little red button and watch years worth of work in the security field go down in a flaming death-throe. This, IMVO, to me, seems the more likely reason other than just a few kids jacking around. Why else would such a high profile target be selected by the everyday hacker if he knew the full brunt of the FBI was going to come down on him? These people that launched this assault seem to know what they wanted and went about it knowing full well what they were getting into. Also they attacked the entire DNS groups world wide system. These things seem to indicate to me that they wanted Phish Tank to go offline but just weren't able to pull it off.

Every DNS, not EasyDNS. (1)

Simon Carr (1788) | more than 7 years ago | (#17086208)

Hey all,

  I have to stress that it is EveryDNS that is under attack, and not EasyDNS.com [easydns.com] .

That being said this is not an uncommon issue these days at DNS providers across the 'net. Before anyone starts to kick and scream about how EveryDNS is handling things, remember that these attacks can get astoundingly vicious.

No amount of "clue" or mitigation or whatnot will help when the upstream service providers themselves are having trouble with the traffic load from a large-scale botnet attack.

Re:Every DNS, not EasyDNS. (3, Informative)

sirket (60694) | more than 7 years ago | (#17086828)

If your upstream provider can't handle 400Mbps of traffic then you're being hosted by a pretty shitty ISP/data-center. It's not like gig uplinks are expensive (even if you only commit to a tiny rate you can generally get gig uplinks). Spread this across 4 or more datacenters and you've got a lot of bandwidth.

Not to mention that networking people generally don't give a shit about bandwidth- it's packets per second that kill routers, not bandwidth. Assuming 100 byte packets that's about 4Mpps- Even a basic 7600 can handle this kind of traffic. Assuming 30 byte packets (can't be smaller than that) you're talking about 15Mpps. Again Even a basic 7600 should be able to handle that- not to mention a Juniper M7i or similar. Most Foundry equipment would laugh at that rate. All of these routers can do ACL's at full packet rates.

That said- other recent DNS attacks exceeded 1.5 Gigabits per second of traffic and were a lot more vicious than the attack being described here.

I'm not knocking EveryDNS- I know what a bitch dealing with a DDoS can be- the problem tends to be that most people aren't ready to deal with it. Using BGP community based nullrouting most service can be restored within seconds of the target IP(s) being identified. That allows admins to keep untargeted systems and services up while the attacked systems are dealt with. The admins can then use the time to locate some/any pattern in the attack or enable the appropriate filtering such as a Cisco Riverguard or similar.

-sirket

sue (1)

Lehk228 (705449) | more than 7 years ago | (#17086226)

sue each participating machine owner for neglegence

if you have a dog and it bites someone or damages someone's property you are liable, so why not computers?

Re:sue (2, Insightful)

The Mysterious X (903554) | more than 7 years ago | (#17086254)

Because nobody has broken into the dog and forced it to bite somebody.

Re:sue (1)

antispam_ben (591349) | more than 7 years ago | (#17086446)

Because nobody has broken into the dog and forced it to bite somebody.

The owner could be sued even if the dog has rabies.

Re:sue (1)

Vegeta99 (219501) | more than 7 years ago | (#17087240)

Ok, so what?

A. You allowed your dog to be in the open enough for someone to infect it.

B. You refused to notice different behavior patterns in your dog (ie, he was slow to respond, seemed to be preoccupied every time you called him).

C. You refused to take your dog to the vet often enough to notice this distemper, and he bit someone.

You are liable. Replace dog with PC, and vet with "antivirus" and we're all good.

Re:sue (0)

Anonymous Coward | more than 7 years ago | (#17086800)

If I kidnapped you with the purpose of torturing you, and gave you the option of being tossed in a room with a starving german shepherd or witnessing a brutal ddos attack on your computer for a day. Which would you choose? I think anyone with a brain would agree that being attacked by a dog is far more injurious than the inconvience of having your computers not working at peak efficiency for a day or two. Come on

DNSPark, too (3, Interesting)

mrmagos (783752) | more than 7 years ago | (#17086412)

I use DNSPark [dnspark.net] , and they were subject to a DDOS attack earlier this week, too. Are they affiliated with EveryDNS too, or is it coincidence, since they are another cheap/free DNS host?

Bah My sites got hit (1)

future assassin (639396) | more than 7 years ago | (#17086848)

Had to take my home server off line as three of my sites all had time out from too many mysql connections. Notices my home cable connection was slow as hell.

At least...! (1)

merc (115854) | more than 7 years ago | (#17087454)

there wasn't a link to EveryDNS in the article.

The DDoS Flu Is Going Around (1)

WrongSizeGlass (838941) | more than 7 years ago | (#17088132)

Two of my clients were affected by separate DDoS attacks against their hosting companies this week, and another was affected by this one. It must be contagious ... either that or I'm cursed.

Oh noes (1)

Dersaidin (954402) | more than 7 years ago | (#17088156)

INTERNET TERRORISM.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>