Christchurch ISP Digiweb was hit by a denial of service attack last week, its first in ten years.
General manager Anthony Johnson says it is not known how many customers were affected. “Some were out for a couple of minutes and some for a couple of hours. We’ve been contacting our customers to make sure they’re okay. The feedback has been that we’ve responded well — we were on to it within minutes.”
Digiweb has more than 150 servers at its datacentre. “All our internal name servers were attacked,” Johnson says. “We pulled them out and rebuilt them.”
At this stage he doesn’t know where the attack came from. “We’ve got quite a few logs to go through. That’s going to take some time.”
Johnson says Digiweb has near-enterprise-level infrastructure with redundancy and no single points of failure. He’s aware of at least two other data centres being attacked in the past few months.
When asked how Digiweb might guard against future denial of service attacks, he replied: “Where do you start spending money? Companies like Amazon have been hit by DoS.”
There are many different types of denial of service attack. The most common defence is to filter bad traffic at the website router or upstream neighbour. By the time it is filtered out at the website, the DoS attack is usually already affecting all other servers and clients sharing the same ISP bandwidth pipe, so upstream filtering is better for all. Unfortunately, that takes additional coordination, and not all ISPs have the resources to deal with such attacks.
It can also be difficult to differentiate between legitimate and malicious traffic, and bots often use spoofed origination IP addresses to make it harder. DoS attacks using spoofed IP addresses can be stopped with ISP egress filtering.
A botnet can also use legitimate IP addresses or send requests that mimic legitimate requests. Some DoS attacks are known as HTTP recursion attacks because they pretend to be a legitimate customer but request every possible web page, thereby overwhelming the server.
These attacks are specifically customised for the website target, requesting pages that actually exist on the server. They also send requests at a slow pace, from one per-second to one per-minute, of course multiplied by tens of thousands of malicious requesting clients. The idea is to force very legitimate-looking requests, which are difficult to mass filter out without affecting legitimate customer requests.
— Additional reporting by Roger A Grimes
(Not so) eminent domains
A recent study commissioned by Infoblox and performed by The Measurement Factory suggests that incorrectly configured DNS servers are a security problem waiting to happen.
* DNS servers: nine million
* DNS servers that allow recursive name services that relay requests to other name servers: more than 50%
* Vulnerability opened by recursive operations: pharming attacks
* DNS servers that allow zone transfers, which enable duplication of DNS data: 29%
* Vulnerability opened by zone transfers: denial of service attacks
* DNS servers running BIND 8, an older, less secure and less reliable version of DNS software in 2006: 15%
* Running BIND 8 in 2005: 20%