|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: register.com down sev0? - More information
Register.com offered several models for DNS service including distributed anycast based services. Considering what I've heard about the scale of the attack I'm glad they chose not host their own domain name on the anycast networks- it simply would have taken more people down.As pointed out by Rob Seastrom in private email, RFC2182 addresses things of biblical proportions - such as dispersion of nameservers geographically and topologically. Having 3 secondaries, only one of them on separate /24, and none of them on topologically different network does not qualify. Some facts: 1. I've spoken with some AT&T engineers about what was going on. According to them this was (as mentioned earlier) a multi gigabit attack that came in through every peer on the AT&T network. Anycasting would not have fixed this problem- the attack was too large and too diverse. (I guess if they had 10 gige pipes and pops all over the planet- maybe. But that's not exactly a valid business model.) 2. These were not spoofed source addresses. This looks like a rather large botnet sending real traffic. 3. The attack was large enough to affect many other customers in the same data center- one with a lot of bandwidth off AT&T's backbone. 4. DNS is a tiny protocol. It's possible to send a LOT of small, but perfectly valid, DNS packets. The fact that the attack was multi gigabit per second is bad enough. Couple that with the packets all being really tiny and you have a recipe for routing disaster. 5. AT&T (at least when I've dealt with them in their datacenters) does not support BGP community strings for null routing (or any strings for that matter :) Think about that for a second. To stop an attack Register.com would need to call AT&T and request a filter/null route. Since AT&T operations is based in Singapore (again this was last time I dealt with them) I'm sure getting those filters/routes in probably doesn't happen nearly fast enough. I have heard that AT&T is currently in the process of setting up communities- maybe someone who knows more could comment. The truth is that none of us has all the facts about what happened. Register.com is not public (If I recall correctly they were bought out a couple of years ago by a private firm). Furthermore if they were public I would think their stockholders might have something to say about spending large sums of money to prevent a DDoS which probably would not work anyway.Given that register.com is/was public (I think?) - I wonder what are their sarbox auditors saying about it now ;) -Don
|