register.com down sev0? - More information
don at calis.blacksun.org
Thu Oct 26 13:24:09 UTC 2006
> As pointed out by Rob Seastrom in private email, RFC2182 addresses things
> of biblical proportions - such as dispersion of nameservers geographically
> and topologically. Having 3 secondaries, only one of them on separate /24,
> and none of them on topologically different network does not qualify.
Register.com offered several models for DNS service including distributed
anycast based services. Considering what I've heard about the scale of
the attack I'm glad they chose not host their own domain name on the
anycast networks- it simply would have taken more people down.
1. I've spoken with some AT&T engineers about what was going on. According
to them this was (as mentioned earlier) a multi gigabit attack that came
in through every peer on the AT&T network. Anycasting would not have fixed
this problem- the attack was too large and too diverse. (I guess if they
had 10 gige pipes and pops all over the planet- maybe. But that's not
exactly a valid business model.)
2. These were not spoofed source addresses. This looks like a rather large
botnet sending real traffic.
3. The attack was large enough to affect many other customers in the same
data center- one with a lot of bandwidth off AT&T's backbone.
4. DNS is a tiny protocol. It's possible to send a LOT of small, but
perfectly valid, DNS packets. The fact that the attack was multi gigabit
per second is bad enough. Couple that with the packets all being really
tiny and you have a recipe for routing disaster.
5. AT&T (at least when I've dealt with them in their datacenters) does not
support BGP community strings for null routing (or any strings for that
matter :) Think about that for a second. To stop an attack Register.com
would need to call AT&T and request a filter/null route. Since AT&T
operations is based in Singapore (again this was last time I dealt with
them) I'm sure getting those filters/routes in probably doesn't happen
nearly fast enough. I have heard that AT&T is currently in the process of
setting up communities- maybe someone who knows more could comment.
The truth is that none of us has all the facts about what happened.
> Given that register.com is/was public (I think?) - I wonder what are their
> sarbox auditors saying about it now ;)
Register.com is not public (If I recall correctly they were bought out a
couple of years ago by a private firm). Furthermore if they were public I
would think their stockholders might have something to say about spending
large sums of money to prevent a DDoS which probably would not work
More information about the NANOG