Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: DNS Providers Under Attack - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
DNS Providers Under Attack

We've been keeping an eye on the issues affecting the domain servers of Register.com. Several readers have written to us with concerns ofer the lack of availability of Register.com's servers, which seem to have been under a DDoS attack. There are also reports that  DNS provider NeuStar (UltraDNS) may be under DDoS, too.

We don't have any information at the moment about these incidents, beyond what is reported in the following articles:

http://www.theinquirer.net/inquirer/news/638/1051638/register-com-suffers-dos-attack

http://www.scmagazineus.com/DDoS-attacks-hit-major-web-services/article/130060/

Register.com issues are causing lots of issues across the web. One reader told us, "We are struggling to keep our websites available. DNS is the problem. We are being told by Register.com that the April 1 issues are affecting them. It sounds like they are being DOS'd and are filtering certain ISPs from querying them." Another reader said, "Register.com's DNS servers have gone offline for the second time in 24 hours. They were down yesterday from about 15:45 - 18:45 and just went down again today at about 14:30 (all times EST)."

If you have any additional details regarding these attacks, please let us know.

 

-- Lenny
 
Lenny Zeltser - Security Consulting
 
Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can track new Internet Storm Center diaries by following ISC on Twitter.

 

Lenny

216 Posts
ISC Handler
Not sure what is up yet, but you can see stats here: http://www.cymru.com/monitoring/dnssumm/
Brett

5 Posts
I received an e-mail notice from Register.com that indicates most services have been restored. I also found it interesting that one comment on the scmagazine post immediately jumped on Conficker and MS Patches while a second dismissed the MS patch issue. I'm not aware of any correlation to Conficker, but I wouldn't rule it out yet either. If the sources of the DDoS are found to match Conficker infection patterns by country as published in other articles that would seem to indicate a link. Anyone aware of data to indicate this attack's source by country?
Alan

57 Posts
Not sure what is up yet, but you can see stats here: http://www.cymru.com/monitoring/dnssumm/
Brett

5 Posts

Sign Up for Free or Log In to start participating in the conversation!