anycast and ddos

Sun May 8 16:15:03 UTC 2005

> 
>> At 01:38 AM 07-05-05 +0000, Christopher L. Morrow wrote:
> 
> I scanned my Telescope report of 3,382 spoofed DDOS attacks last week (May
> 1-7) and could not find any listed for 216.168.229.0/24, worldnic.com,
> netsol.com or AS6245.
> 
> -Hank
> 
> 
> 
>> worldnic.com.           86400   IN      NS      ns1.netsol.com.
>> worldnic.com.           86400   IN      NS      ns2.netsol.com.
>> worldnic.com.           86400   IN      NS      ns3.netsol.com.
>> 
>> ;; ADDITIONAL SECTION:
>> ns1.netsol.com.         86400   IN      A       216.168.229.228
>> ns2.netsol.com.         86400   IN      A       216.168.229.229
>> ns3.netsol.com.         86400   IN      A       216.168.229.229

I believe the issues (reported on NANOG specifically) related to
ns*.worldnic.com (seemingly ns1 through ns100.worldnic.com) which seem to be
mostly related to 216.168.225.0/24 with some smatterings in
216.168.228.0/24. Some examination during the event, and since then, would
indicate that traceroutes to these /24s result in endpoints that are in the
same location, apparently in the DC area. Anycast would not seem to be
involved.

It further seems that these nameservers are used primarily by customers of
their bundled with a domain name dns offering, with minimal cost. There are
in excess of 300,000 domains that point to ns*.worldnic.net as being
authoritative, that I have been able to identify so far. It seems that a
large number of domain name registrants might have been affected, although
many were unaware.

And I assume that it is obvious that this is all "Network Solutions", the
Registrar Business, as distinct from the now completely unrelated company,
Verisign, the Registry Operator.

Rodney Joffe
CenterGate Research Group, LLC
http://www.centergate.com
"Technology so advanced, even WE don't understand it"(R)