UltraDNS Dealing with DDoS Attack

DNS provider UltraDNS has been under a DDoS attack for much of the day.

UPDATE – UltraDNS said it has mitigated a distributed denial of service (DDoS) attack for most of its customers after the service was held down for most of the day.

“Currently, only customers utilizing a segment of UltraDNS Name Server addresses are experiencing resolution latency due to intermittent network saturation in the Western US,” said Neustar director of product management, security solutions, Jim Fink in an email to Threatpost. “We continue to aggressively refine mitigations for these customers and hope to have the issue resolved shortly. We have been and will continue to provide regular updates to our UltraDNS customers via our usual customer notification process.” UltraDNS is a Neustar company.

The SANS Institute’s Internet Storm Center said this afternoon that it received multiple reports of outages and DNS resolution issues, reportedly because of a 100 Gbps DDoS attack against one of UltraDNS’ customers that resulted in latency issues for others.

“One reporting party did indicate that they learned that the management of UltraDNS had said that one of their customers was being attacked and that they black-holed that customer to get back on trend,” wrote ISC handler Russ McRee. “Resolver nodes around the world are resetting.”

Neustar absorbed some criticism on Twitter as well where users dependent on UltraDNS services were venting frustration or a lack of communication from the company. One tweet said: “Neustar/@UltraDNS has had a system wide outage this morning without a single public ack [acknowledgement] and no status page. Interesting way to run a company.”

DDoS attacks the size of this one are quickly becoming the norm. A report from Arbor Networks this week said it has already tracked more than 70 DDoS attacks of 100 Gbps or more of bad traffic, topping out at 325 Gbps. The largest attacks on public record were recorded by traffic optimization and security provider CloudFlare

Most volumetric attacks rely on some kind of amplification such as DNS reflection or Network Time Protocol amplification attacks where the requesting IP address is spoofed as the target’s and massive amounts of traffic is returned at relatively little cost to the attacker.

With DNS amplification attacks, attackers take advantage of any number of the 28 million open DNS resolvers on the Internet to launch large-scale DDoS attacks. The motivations are varied. Ideological hackers use them to take down services in protest, while profit-motivated criminals can use DDoS as a cover for intellectual property theft and financial fraud.

Beginning with the DDoS attacks against large U.S. banks early last year, the spike in these attacks merited a mention in the recent Verizon Data Breach Investigations Report.

“We’re seeing a growing trend of combining DDoS with APT campaigns,” said Arbor Networks’ Gary Sockrider said. “Go back a few years, and DDOs was thought of more as a takedown mechanism, not for data exfiltration. Now we’re seeing it more frequently combined with APT, prolonged campaigns where an attacker is on your network and now need to get the data out, they’ll initiate a DDoS attack. It’s the equivalent of a natural disaster and while you’re dealing with it, that’s when they’ll exfiltrate data.”

This article was updated at 5 p.m. with comments from Neustar.

Suggested articles


  • Mark Jeftovic on

    Another good example that proves our point: No matter how top-shelf your DNS provider is, they are still prone to crippling DDoS attacks and other outages. In other words, any given DNS provider is a single-point-of-failure unto itself. So if you really, absolutely, positively must have DNS availability 100% of the time, you need to use multiple DNS solutions and have a coherent methodology for syncing and deploying them. i.e. How to stay up when your DNS provider goes down: (which is a very popular post today for some reason) http://blog.easydns.org/2010/08/19/dos-attacks-and-dns-how-to-stay-up-if-your-dns-provider-goes-down/
  • Phydroxide on

    Netflix is failing to resolve for me tonight. Is that the one?
  • vytas on

    If you are offered to move to live into a big city under the promise not to see any traffic jam again, you know it sounds to good to be true. As a technology, DNS services must rely on distributed architecture. Concentrating DNS under big providers is a colossal mistake. Evidence of this flaw is very apparent today when UltraDNS is facing DDoS, thousands and thousands of sites are affected.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.