Posted: 10:20 AEST 4th June 2013
Over the past several days Netregistry has experienced a series of Distributed Denial Of Service (DDoS) attacks against its DNS name servers. Each lasted a few hours before we were able to successfully mitigate against them. A DDoS occurs when many computers attempt to access the same service simultaneously overwhelming the capacity of the server to respond. Think of a DDoS as everybody at a football game coming to your house after the game, but trying to get in your front door at the same time. It just can't happen.
Netregistry Group operates a geographically diverse DNS operation with a number of services around the globe. Such a set up helps us mitigate downtime and decrease latency associated with DNS requests. Due to the amount of DNS queries generated by the DDoS, DNS Services have been inundated and overwhelmed by the impact. We employ several methods to defend against such attacks including the use of high performance DNS server software, many machines spread across various geographic locations and networks, Juniper firewalls, host based firewalls and Arbor Pravail anti-DDoS equipment in our Australian data centre.
We managed to mitigate the attacks of the previous few days by utilising the above infrastructure. Today (Monday 3rd June - evening) we took the drastic step of rate limiting DNS queries using the Arbor Pravail equipment to stem the flow of the attack. This had the immediate effect of identifying 1000 hosts participating in the attack in addition to what we has identified to date.
Our engineers have been closely monitoring blocked servers and whitelisting legitimate users of the service, but due to the aggressive filtering nature there will be some false positives and some customers who will be denied services despite being legitimate users. In the next few days we will continue to whitelist such false positives as we discover them. This kind of rate limiting is not ideal or a long term solution and will result in some further inconvenience. Our long term strategy is to further cluster, load balance and segregate name services to provide greatly enhanced scale, fault tolerance and capacity. This had not been required prior to this attack.
Mitigating against a DDoS attack is a combination of determining the attack type, multiple location sources and mitigating against volume. The below traffic graph illustrates the exponential volume increase as a result of the DDoS today (Monday 3rd June) in comparison to more moderate volume increase from the weekend attacks.
Our current mitigation strategies are successfully keeping the current attack at bay, and our engineers will continue to closely monitor the situation. We appreciate the severe inconvenience this has caused a number of our customers, however we would like you all to be aware that the outage is not because of poor systems, but an external abuse of our servers and to be aware of the infrastructure and systems we have in place to deal with such issues.
We have provided more detailed information than usual to assure our partners that Netregistry Group has significant investment in DDoS mitigation and will always invest further as required to protect our network from external threats. As this is a security incident, there are some details in this communication that are deliberately vague. We will not be commenting further, despite acknowledging that there will be many technically minded customers who will find this asks as many questions as it answers.
This post was provided by the Netregistry Group Security Team.