Network Solutions under DDOS attack
Circle ID reports that major domain registrat Network Solutions has been expriencing a massive DDOS UDP/53 attack on their domain servers for the past 48 hours. The Network Solutions blog confirms this: “There is a spike in DNS query volumes that is causing latency for the delay in web sites resolving. This is a result of a DDOS attack. We are taking measures to mitigate the attack and speed up queries.”
A post on NANOG provides some additional detail:
A DOS where lots of people's dns servers around the world are being queried with bogus sourced dns requests not from port 53 for 'NS? .'. This then bounces back to their authoritative nameservers which are getting traffic overload. ... These are the result of a spoofed dns recursion attack against our servers. The actual packets in question (the ones reaching your servers) do NOT originate from our network as such there is no way for us to filter things from our end. If you are receiving queries from 18.104.22.168/22.214.171.124 neither of these machines make legitimate outbound dns requests so an inbound filter of packets to udp/53 from either of these two sources is perfect. If you are receiving queries from 126.96.36.199/188.8.131.52 these servers are authoritative nameservers. Please do not blackhole either of these IPs as they host many domains. However, these IPs do not make outbound DNS requests so filtering requests to your IPs from these ips with a destination port of 53 should block any illegitimate requests. An ACL similar to: access-list 110 deny udp host 184.108.40.206 neq 53 any eq 53 access-list 110 deny udp host 220.127.116.11 neq 53 any eq 53 Is what you want.
This attack could potentially affect more than 7.6 million domain names. Given the recent rapid spread of threats like the Downadup worm, I’m sure we’re going to be seeing more attacks like this in the not-too-distant future.
UPDATE: Network Solutions says DNS queries for web sites should be responding normally now.