14 DAY TRIAL // Earlier this week, we learned that cybercriminals launched distributed denial-of-service (DDOS) attacks against the systems of DNSimple and easyDNS. The attacks have been mitigated and both companies have published blog posts to explain what happened.
As it turns out, the DNS providers were not the targets of these attacks. Instead, their systems were abused by the attackers to bring down another network in what’s known as a DNS amplification attack.
“While most of these typically use open resolvers, it is also now common to use authoritative nameservers in reflection attacks,” easyDNS’s founder Mark Jeftovic wrote.
“In our case while the attack didn't take up too much bandwidth, the number of inbound packets soon filled up our connection tables and due to the way the attack was constructed, it was difficult to discern real DNS queries from fake ones,” he added.
Jeftovic admitted that they got “careless.”
“While we correctly believed Sunday's ‘mini-DDoS’ was a test run, and we thought we were ready for the anticipated "real deal", some of our gear wasn't configured optimally. We should have better insight into DNS attack patterns and we didn't recognize this as an amplification attack until quite late into the game,” he noted.
easyDNS has collaborated with both DNSMadeEasy and DNSimple to “get a handle on things.”
DNSimple’s Anthony Eden explains that they’ve been only one player in a larger game.
“This attack was nothing special until the morning of June 3rd when it changed in a manner causing an outage for DNSimple name servers,” Eden said.
“In this type of attack we are one player in a larger game. The attacker wants to use our servers to bring down yet another network. Unfortunately this style of attack is becoming more common.”
DNSimple has implemented mechanisms to prevent such incidents from occurring in the future. On the other hand, easyDNS has also deployed some additional safety systems, but the company says that users who need 100% DNS availability should use multiple DNS solutions.
Update. It turns out TTP Wholesale has also experienced similar attacks.