nanog mailing list archives
Re: register.com down sev0? - More information
From: Don <don () calis blacksun org>
Date: Thu, 26 Oct 2006 09:24:09 -0400 (EDT)
Register.com offered several models for DNS service including distributed anycast based services. Considering what I've heard about the scale of the attack I'm glad they chose not host their own domain name on the anycast networks- it simply would have taken more people down.As pointed out by Rob Seastrom in private email, RFC2182 addresses things of biblical proportions - such as dispersion of nameservers geographically and topologically. Having 3 secondaries, only one of them on separate /24, and none of them on topologically different network does not qualify.
Some facts:1. I've spoken with some AT&T engineers about what was going on. According to them this was (as mentioned earlier) a multi gigabit attack that came in through every peer on the AT&T network. Anycasting would not have fixed this problem- the attack was too large and too diverse. (I guess if they had 10 gige pipes and pops all over the planet- maybe. But that's not exactly a valid business model.)
2. These were not spoofed source addresses. This looks like a rather large botnet sending real traffic.
3. The attack was large enough to affect many other customers in the same data center- one with a lot of bandwidth off AT&T's backbone.
4. DNS is a tiny protocol. It's possible to send a LOT of small, but perfectly valid, DNS packets. The fact that the attack was multi gigabit per second is bad enough. Couple that with the packets all being really tiny and you have a recipe for routing disaster.
5. AT&T (at least when I've dealt with them in their datacenters) does not support BGP community strings for null routing (or any strings for that matter :) Think about that for a second. To stop an attack Register.com would need to call AT&T and request a filter/null route. Since AT&T operations is based in Singapore (again this was last time I dealt with them) I'm sure getting those filters/routes in probably doesn't happen nearly fast enough. I have heard that AT&T is currently in the process of setting up communities- maybe someone who knows more could comment.
The truth is that none of us has all the facts about what happened.
Register.com is not public (If I recall correctly they were bought out a couple of years ago by a private firm). Furthermore if they were public I would think their stockholders might have something to say about spending large sums of money to prevent a DDoS which probably would not work anyway.Given that register.com is/was public (I think?) - I wonder what are their sarbox auditors saying about it now ;)
-Don
Current thread:
- Re: register.com down sev0?, (continued)
- Re: register.com down sev0? Paul Vixie (Oct 25)
- Re: register.com down sev0? alex (Oct 25)
- Re: register.com down sev0? Chris Owen (Oct 25)
- Re: register.com down sev0? Patrick W. Gilmore (Oct 25)
- Re: register.com down sev0? alex (Oct 25)
- DNS DDoS [was: register.com down sev0?] Patrick W. Gilmore (Oct 26)
- Re: DNS DDoS [was: register.com down sev0?] Robert Boyle (Oct 26)
- Re: DNS DDoS [was: register.com down sev0?] jerry (Oct 26)
- 10,352 active botnets (was Re: register.com down sev0?) Sean Donelan (Oct 25)
- Re: register.com down sev0? Rich Kulawiec (Oct 26)
- Re: register.com down sev0? - More information Don (Oct 26)
- Re: register.com down sev0? - More information Chris Adams (Oct 26)
- Re: register.com down sev0? - More information Donald Stahl (Oct 26)
- Re: register.com down sev0? - More information Charles Gucker (Oct 26)
- Re: register.com down sev0? Joseph S D Yao (Oct 27)
- Re: register.com down sev0? Chris L. Morrow (Oct 28)
- Re: register.com down sev0? Chris Adams (Oct 28)
- Re: register.com down sev0? Jim Popovitch (Oct 28)
- Re: register.com down sev0? Donald Stahl (Oct 28)
- BCP38 thread 93,871,738,435 (was Re: register.com down sev0?) Sean Donelan (Oct 25)