DNS Providers Under Attack

Published: 2009-04-03
Last Updated: 2009-04-04 02:53:13 UTC
by Lenny Zeltser (Version: 2)
3 comment(s)

We've been keeping an eye on the issues affecting the domain servers of Register.com. Several readers have written to us with concerns ofer the lack of availability of Register.com's servers, which seem to have been under a DDoS attack. There are also reports that  DNS provider NeuStar (UltraDNS) may be under DDoS, too.

We don't have any information at the moment about these incidents, beyond what is reported in the following articles:



Register.com issues are causing lots of issues across the web. One reader told us, "We are struggling to keep our websites available. DNS is the problem. We are being told by Register.com that the April 1 issues are affecting them. It sounds like they are being DOS'd and are filtering certain ISPs from querying them." Another reader said, "Register.com's DNS servers have gone offline for the second time in 24 hours. They were down yesterday from about 15:45 - 18:45 and just went down again today at about 14:30 (all times EST)."

Update: Alan shared with us the email his company, a customer of Register.com, received from Register.com today (see below). Alan also told us "Although we had no reports of issues with access to our sites, we are not certain of any impact yet."


Earlier today we communicated to you we were experiencing intermittent service disruptions as a result of a distributed denial of service (DDoS) attack – an intentionally malicious flooding of our systems from various points across the internet.

We want to update you on where things stand.

Services have been restored for most of our customers including hosting and email. However for some of our customers, services are not fully restored.  We know this is unacceptable.

We are using all available means to restore services to every one of our customers and halt this criminal attack on our business and our customers’ business. We are working round the clock to make that happen.

We are committed to updating you in as timely manner as possible, please check your inbox or our website for additional updates.

Thank you for your patience.

Larry Kutscher
Chief Executive Officer


If you have any additional details regarding these attacks, please let us know.

-- Lenny
Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can track new Internet Storm Center diaries by following ISC on Twitter.


3 comment(s)


Not sure what is up yet, but you can see stats here: http://www.cymru.com/monitoring/dnssumm/
I received an e-mail notice from Register.com that indicates most services have been restored. I also found it interesting that one comment on the scmagazine post immediately jumped on Conficker and MS Patches while a second dismissed the MS patch issue. I'm not aware of any correlation to Conficker, but I wouldn't rule it out yet either. If the sources of the DDoS are found to match Conficker infection patterns by country as published in other articles that would seem to indicate a link. Anyone aware of data to indicate this attack's source by country?
Not sure what is up yet, but you can see stats here: http://www.cymru.com/monitoring/dnssumm/

Diary Archives