DoS Attack persists.

Written by Mark Jeftovic on January 7, 2012 — 7 Comments

Also See:

[UPDATE: 12:54AM Jan 08] The attack traffic is still coming in fairly heavily. We are working on a couple of avenues of adjusting our defenses.

[UPDATE: 2:33AM EST Jan 08] DNS1 is back online. dns2 has been mostly online througout most of this. We are now working on dns3. ]

[UPDATE: 3:17AM Jan 08] We have rerouted dns3.easydns.CA and dns3.easydns.ORG to dns4.easydns.info for now. We will be bringing the main DNS3 anycasts back up Sunday during the day.

We think the worst is over for today's DOS attack which hit us on dns1.easydns.com, dns2.easydns.net and dns3.easydns.org (and dns3.easydns.ca) anycast constellations.

The attack was a multi-faceted multi-gig combination of SYN, ICMP and DNS Flood.

DNS1 and DNS3 totally imploded. DNS1 is coming back in pieces, DNS3 is still down hard.

DNS2 went down when the attack first hit, but Prolexic was able to bring enough of it back up after 30 minutes or so to restore partial service.

We are working on bringing the rest of DNS1 up, and a workaround to route DNS3 traffic elsewhere until the attack traffic abates.

On that note, the target of the attack has been identified and has removed its nameserver delegation from us. Until about an hour ago there were still nameservers reporting our nameservers as the delegation for the target domain. Now that those are gone, we expect the attack traffic to drop.

I also by accident pulled our previous post on this subject back into draft mode, making it invisible on the blog, because I meant to revoke my (now, seemingly idiotic "Save the Elephants" post), which I hit publish on almost the exact moment the attack started. Because it's been that kind of a day.

This isn't the post-mortem. I will post that later. Just wanted to update everybody with where we're at.

There will be serious, structural changes here as a result of today. The worst DOS attack impact we've suffered since 2005.

Posted in Status

7 Comments to “DoS Attack persists.”

You can follow all the replies to this entry through the comments feed.

mark fogarty

January 8, 2012 at 12:32 am | Permalink

my domains still aren't resolving
Tony Uccello

January 8, 2012 at 1:10 am | Permalink

Our site was down since around 6pm Saturday Jan 7, 2012.
I find this incident totally unacceptable.
There should be failsafes in place so this type of situation doesn't occur.

This outage has cost us severely.
Stephen Swan

January 8, 2012 at 3:46 am | Permalink

Coudl you be more clear about what DNS servers (including FQDN) we should be pointing to in order for us to resume operation?
easyDNS Support

January 8, 2012 at 1:16 pm | Permalink

Hi Stephen,

Replied by mail.
Arnon
easyDNS Support

January 8, 2012 at 1:28 pm | Permalink

Hi Tony, please see our recent blog post at http://blog.easydns.org/2012/01/08/mini-faq-about-the-jan-07-ddos-attack/#more-1959 for details, and I've emailed you as well. We understand your frustration, believe me. This was a game-changing incident, and has affected more than just ourselves.
easyDNS Support

January 8, 2012 at 1:29 pm | Permalink

Hi Mark,

We believe things have calmed down and resolution is solid again, but if you are still seeing problems, please let us know at support@easydns.com. Our apologies for the inconvenience, this has been a long night for everyone, not just with us. Please see the faq Mark posted at http://blog.easydns.org/2012/01/08/mini-faq-about-the-jan-07-ddos-attack/#more-1959 for more details.

Regards

Arnon
BTaylor

January 8, 2012 at 4:06 pm | Permalink

what I appreciate about easydns is their total transparency. So many would try to hide problems, issues and point fingers. You are authentic. I hope you find ways to kick these attackers in the ass!