A subsidiary of Netregistry based in Sedney, TPP Wholesale is one of the largest providers of domain management, web hosting and other services in Australia. The company informed its customers on Monday, June 3 through their website that “Unscheduled Service Interruption” was experience by eight DNS servers owned by the company. The company informed its customers through its website that it uses several methods to fight DDoS attacks which include:

• Firewalls that are host-based.
• Juniper firewalls.
• DNS Server Software of high performance.
• Arbor Pravail anti- DDoS equipment.

The company informed that for a few days prior to Monday, June 3, the company used all methods except Arbor Pravail to mitigate the DDoS attack but on Monday they had to take the drastic step of using Arbor Pravail that stemmed the attack by rate-limiting the DNS queries. The company mentioned that using the Arbor Pravail anti-DDoS equipment identified 1000 hosts that participated in the attack apart from those which were already identified using the other methods. The company clarified that the use of this drastic method blocked many legit users because of its aggressive filtering nature and that they will be whitelisted once identified and discovered by the engineers. Toronto based easyDNS also experienced the effects of the massive worldwide DDoS attack which disrupted their services too! Mark Jeftovic, CEO of easyDNS reported on Monday, June 3 that Monday’s attack was a larger version of the attack that took place a day before. The CEO reported that the engineers of easyDNS managed to mitigate most of the attacks but it was really difficult to differentiate DDoS traffic from real traffic. He also said that it was a nightmare because the attack was not against a specific domain but against easyDNS itself and that the attack was very well constructed. Founder of DNSimple, Anthony Eden said that the authoritative nameservers of DNSimple were used as amplifier for attacking a third-party network. He reported that the authoritative nameservers were flooded with the query ‘ANY’ for various domain names that are managed by the company’s DNS service. The intention of the ‘ANY’ query was to amplify smaller queries into larger responses that targeted a specific network. This particular form of attack on DNSimple is called DNS amplification or DNS reflection. The method sends queries with faked source IP address to servers from many computers, which triggers long responses that are sent from the server to the IP addresses of the victims within a short window of time. If the hackers manage to use ample number of DNS servers and computers, the internet bandwidth available for the victim will be exhausted very quickly. The methods used for the DDoS attack, especially the DNS reflection method which takes extra volume of work, reflect that the hackers or the attackers were very well prepared. Mitigating attacks on authoritative nameservers is not easy because they are open to everyone. Anyone on internet can query the authoritative nameservers to get information about domain names served by the nameservers. This is exactly why DDoS breaches continue to stay a big concern. ]]>