Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

DDoS on Domain Registrar 69

Posted by ScuttleMonkey
from the paint-by-numbers dept.
miller60 writes "Netcraft is reporting that 'domain registrar Joker.com says its nameservers have been hit with a massive DDoS attack, causing outages for customers. More than 550,000 domains are registered with Joker, meaning the outages could be widely felt. It's not clear why the DDoS is succeeding, as most registrars have implemented sturdy DDoS protection since the attack on the root nameserver system back in 2002.' Some security experts have warned in recent weeks about DNS recursion attacks as previously discussed here on Slashdot, which can amplify the power of attacks launched from botnets."
This discussion has been archived. No new comments can be posted.

DDoS on Domain Registrar

Comments Filter:
  • I've been using Joker for a number of years and had nothing but good service, polite staff and decent prices and then someone goes along and DDOS them. Hope they get back on their feet soon. Then again there is no such thing as bad publicity
  • But why? (Score:5, Interesting)

    by Minwee (522556) <dcr@neverwhen.org> on Monday March 27, 2006 @07:28AM (#15001838) Homepage
    In case anyone has missed the significance of a major European domain registrar getting whacked right now, you should recall that the .EU domains go on sale to the public in about a week [webhosting.info].

    If anything, I'm surprised that more regitstrars aren't being hit by this. Maybe they agreed to pay up instead.

    • Re:But why? (Score:1, Interesting)

      by sjwest (948274)

      I was affected - but perhaps the ddosers wanted some cash from the spammers?. However our spam load was much reduced as to who wanted what and from whom i dont know - less spam was the result here.

      Perhaps this will do joker some good either by stopping the sales of junk domain names like ikty677899dddff.com (made up example) and clean up the domain name 'trade', which is by no means perfect but makes many of us think there as complict as the spammers.

  • Not that surprising! (Score:5, Informative)

    by Anonymous Coward on Monday March 27, 2006 @07:33AM (#15001861)
    Anyone that has had to deal with DDoS attacks against their networks lately should know that it isn't terribly uncommon to see DDoS attacks that saturate over 1Gbps of bandwidth. With a sizeable botnet, even if the registrar has two gigabit uplinks, it wouldn't be too difficult for an attacker to knock them compleetly offline. Take whatever DDoS prevention methods you want, if your upstream links are saturated... you're boned.
    • Have you considered traffic shaping? I mean ISPs may set up a traffic shaping rule limits their outbound DNS traffic to ~15%. I guess this should help a little.
  • by pixelbeat (31557) <P@draigBrady.com> on Monday March 27, 2006 @07:42AM (#15001907) Homepage
    Their website is still functional enough to allow
    one to change the DNS servers away from [abc].ns.joker.com
    I did this last for my domain.
    • The problem is that it WASN'T functional until Saturday. And you still need to have a DNS server to use. If you don't have one you're screwed.
      • There are free DNS services out there like EveryDNS.net [everydns.net] that allow you to register and list for free.

        </shameless plug>
      • Are you sure about that? Perhaps you only heard about it last Saturday?
        For me it was definitely getting hosed at 09:30 (GMT) last friday (24th Mar).
        My domain wouldn't resolve, and their web admin interface was seriously slow,
        and they had a news item about it on their homepage.
        I was just about able to change the DNS servers for my domain away from joker to my hosted server.
        Their web servers currently show about the same amount of lag,
        so I presume one can still change the DNS servers for their domains.
        • My problems started about 2pm PST on Wed. Nothing would resolve, email wouldn't work. I was out of town and number 2 couldn't figure out what was up. Everything came back up that evening. Same problems most of Thurs, Fri and Sat. By early Sat afternoon I decided I had to do something. Joker's "service zone" servers seemed to work so I moved everything over to dnsmadeease.com. The move was relatively painless and all is good now.

          Not an experience I'd want to repeat any time soon.

          I'll be working o
  • Getting sick of this (Score:4, Interesting)

    by totya (746634) on Monday March 27, 2006 @07:50AM (#15001935)
    I think it's time for the sensible businesses to form an alliance to defend themselves from these DDOS attacks. We've got to be able to switch along storage, location, share the load among us. If there was a few dozen or hundred larger sites with huge pipes, then actions like this could be avoided. Virtualization looks like a very good help for this. Send along a vmware image to the emergency network, fire up the systems, vpn to the backend, and you're set. I know I oversimplify this, but I guess something along these lines could work (technically). Of course politics and such come into play, but if major players started to float this idea - again, I think it could work. Any thoughts (or flames)?
    • It seems that something has to be done, since everyone is either unwilling or unable to catch the perpetrators. If it's true that extortion of money is behind this, you'd think that the authorities would be keen to catch them, and make an example of them. Like you say, this can't go on unchecked for much longer.

      Was anyone ever fingered for the root nameserver attack of 2002? I'd imagine not.
    • by Anonymous Coward
      give up on the interweeb, have a look at anonet! http://anonetnfo.brinkster.net.nyud.net:8090/ [nyud.net]
    • by user24 (854467)
      I'm not quite sure what you have in mind- distributed DNS or distributed hosting?

      With distributed DNS, it's actually not a bad idea, those with higher bandwidths could end up taking the bulk of the load, but it might actually be workable. Having said that, we do have a facility for secondary DNS servers; we could just use them properly instead of having ns1.foobar.com and ns2.foobar.com pointing to the same box half the time, and the same subnet half of the rest of the time. Not exactly a dDOS resiliant sol
      • I'm talking about distributed hosting on virtual computers. I'm not talking about sharing webroots among the "emergency network", I'm talking about a vmware/virtualpc image that participants just fire up when needed. talk about a standard (well, if there's such thing) 3 tier website: www, application, database. the database can be anywhere, since users don't connect to it. application servers can then be distributed. webservers of course can be distributed. VPN would transmit data among these servers. a goo
      • Isn't the logical extension of this that all ISPs pool their DNS stuff?

        i.e. ISPs A, B, C...N all host N DNS services -- one for themselves, one each for the other N ISPs. Ok, maybe not N but say 5 ISP groupings.

        This was done with the electric power system some time back where they put ground rods all over the place providing ubiquitous grounding to make the power system more uniform.

    • I'll attempt to elaborate on parent. If a host of domains is attacked, it would be nice if a system was in place to easily, and quickly, render backup assisance if required. DNS is the core of user friendly internet access to everything. The smaller players may have need for such a system, or may have not costed and implemented the measures to not need them.
  • by Brianech (791070) on Monday March 27, 2006 @07:59AM (#15001970)
    just what joker.com needs during a DDos attack, massive publicity from major news sites which will drive more people to the servers.
  • CoComment down (Score:1, Offtopic)

    by mparaz (31980)
    I saw that CoComment.com was going down [paraz.com] - it's a comment tracking service. They explain why on their blog [cocomment.com].
  • I suggest a new .noddos tld and decide those sites shouldn't be DDoS'ed.
    Hmm, maybe I'm coming too quickly from that other stupidifying discussion. :-)
  • I hope people realise that moving away from joker will result in exactly what the attacker intended: hurt joker.com. My own business is hosted @ joker and I'm feeling the hurt. But Im staying.

    Next up: can everbody who gets hurt by this attack band together and start a class action suit against this ddos'er? Yeah, IF he gets caught...

    We're the internet here, and if this hacker gets found, make an example of him.. he should be in deep debt for the rest of his life. THAT'll scare these script idiots...
    • he probably is already in deep debt, which is probably why he did it.
    • Let me give you a free clue...

      Leave your domain name registration at joker and move your DNS server to dnsmadeeasy.com.
      Joker doesn't make any money on their DNS service and it will only help them at this point. I moved mine Saturday and it was a)relatively painless and b)seems to work faster than joker did on a good day.
      There's a common misconception throughout the slashdot comments that domain registration and DNS service are the same. They aren't. You can keep joker.com as your domain registar an
    • We're the internet here, and if this hacker gets found, make an example of him.. he should be in deep debt for the rest of his life. THAT'll scare these script idiots...

      You're assuming that the DDoS is being run by a script kiddy. But if the script kiddy is in the employ of a Romanian mafiosa gang who're trying to extort a couple of million of protection money from Joker (or a Joker client) ... oh, there's someone at the door for you. Don't answer that call!
  • I just hope that these rapscallions are punished properly.
  • Why? That's easy ... (Score:2, Interesting)

    by Keyslapper (852034)
    Most of the phishing scams and obscene spam (farm girl on farm animal type of stuff) I get in my inbox and most of the popups I see on the internet are joker registrations. Half the time, these are completely out of the blue - I don't get surprised when I get this stuff jumping random links from altavista, but when I'm cruising gamebanshee, even very mild porn is out of place. And the spam is just inexcuseable. Before anyone suggests the obvious - like a virus or malware for the popups, I get this on Fre
    • The problem is that Joker usually doesn't appear concerned about the activities it's customers engage in (AUP notwithstanding), so it might be that someone out there saw one too many popup or phishing scam coming out of a Joker domain and got no satisfaction at the abuse desk.

      So, when you find that the spammy domains are registered through Joker... do you report them to Joker as AUP violations? If so, what kind of response do you get? If not, how can they be expected to take action?
      • Uh, yes. I do report them. I'm pretty foolish from time to time, but I'd hardly complain about something like this in such a public forum if I hadn't at least given them the chance to correct the issue.

        Well, I did report them at first. If I haven't tossed or misplaced the old messages, I've probably still got a couple hundred floating around somewhere that I sent to abuse@joker.com along with every other relevant address I could find, regarding phishing scams and pornographic spam. I was very dilige
  • /. effect (Score:2, Funny)

    by switchfutguy (880698)
    well this was a great idea...they've been hit by a massive DDoS attack and then we decide to slashdot their main website...not a good day for them.....
  • Old news (Score:3, Informative)

    by rueger (210566) on Monday March 27, 2006 @10:06AM (#15002780) Homepage
    The DDOS attack was actually middle of last week. Joker.com is now operating fine. Timeliness is important when one posts stuff like this, or at least enough editorial sense to edit for the past tense and to check out what is being said.

    I've used joker.com for years. It's significantly cheaper than Network Solutions and other US registrars and I've never had a problem.
  • by tinkertim (918832) * on Monday March 27, 2006 @10:15AM (#15002859) Homepage
    BIND comes out of the box ready to answer requests from anyone, digging the roots itself and caching. Most people don't set it otherwise, and most 'leading' control panels don't advise you to do much of anything about it. However in cases like this, all of the hardening in the world isn't going to help you if the botnet is as big as the one that got Joker.

    Fortinets, ciscos, Junipers all handle a set number of sessions. Some as low as 1500 - 2000, throw those away when you're talking about a large botnet. Depending on how big the botnet is, and how diverse the attacking blocks are sometimes there is very little to do other than wait it out. Even with higher end Fortinets that support up to 35k sessions, if you have 100k uniques over 30k blocks .. well you're just screwed. Your firewall will either shut out all traffic, or open wide, depending on how its set until the attack subsides.

    DNS records must remain public in order to resolve anything. Sorry folks, but if the network you pissed off is large enough .. there's very very little that can be done about it given hardware most medium to medium-large companies use. They come on fast and just do not stop.

    Some pretty scary chit, especially if you are the one who gets called to deal with it. If you want to yell at someone about it, take your pick from one of the thousands of shared web hosting providers who provide a nice comfy woumb for these networks to grow.

    So the next time your host tells you that they've disabled exec(), passthru() and shell_exec() in php for security and restricted access to wget and lynx, go a little easier on them. This is why. They have no control over what their users upload and make available to the world.

    Even well hardened servers are easy targets if some jackass uploads phpbb version 1. If any script interpreter can make shell calls, you ought to be checking sockets and connections often.

    lsof is your friend, learn how to use it :) Takes you right to them.
  • by petrus4 (213815) on Monday March 27, 2006 @10:16AM (#15002877) Homepage Journal
    ...in his recent interview, but I don't think he went far enough. He said that DNS is the Achilles' heel of the Web. I believe it's the primary vulnerability of the Internet in general. Virtually all the "who governs the net" garbage would be a non-issue if it wasn't for the name heirarchy.

    What we need is an entirely peer to peer adaptation of the Web using DHT [wikipedia.org] as an addressing system, where the hash of the file itself serves as its' address. That would solve (at least) two major problems:-

    a) It'd get rid of the abovementioned "Internet governance" BS as mentioned above. I believe we could still have an entirely hyperlinked/relational/semantic Web using a DHT system...it just initially might require some more work. The reason why this would eliminate the TLD issue though is because the naming system itself would become irrelevant. It's worth remembering that DNS was originally developed by scientists/academics. If they'd remained the only people using it, it would have worked acceptably. Unfortunately however, the commercialists came along later and fucked it up, which they tend to do to everything they get their hands on. If the commercialists still want the old DNS/TLD system, let them keep it. The DHT system could be implemented for those of us interested in more productive uses of the network.

    b) It would at least go a long way towards putting a final nail in the coffin of the {RI,MP}AA's ability to track/identify (and therefore sue) anybody using p2p filesharing. No DNS means no named websites, and no named websites means no centre of gravity/vulnerability to make the {RI,MP}AA's lives easier.

    For those of you who think I'm insane, realise that to a degree it's already been done with the Kad p2p network. Anyone connecting to Kad is only able to view (to the untrained or non-mechanical eye, at least) a totally incomprehensible array of numerical strings and file hashes. It might be traceable to individual users, but not easily. What we need to do is figure out how to create an adapted version of HTTP that is able to rely on a machanism similar to Kad as its' trasit/addressing system.

    In terms of coding this, I'd have no idea even where to begin myself...so I guess all I can hopefor is that someone else out there who could is sufficiently interested in the idea to try it.
    • I don't see how P2P could possibly be as secure as a server based system. How do you know who your neighbors are? Do you trust that they're really sending you to your bank, or microsoft, or _insert_potentially_sensitive_website_here? Just look at P2P now, it's hard enough to find some files without 100s of corrupted or fake versions. The security implications of allowing everyone to have a say in DNS could easily be catastrophic unless I completely misunderstand you.
      • Just look at P2P now, it's hard enough to find some files without 100s of corrupted or fake versions.

        This is only difficult because it is not known in advance which files are fake and which aren't. As far as eMule/Kad are concerned, services like DonkeyFakes have existed, but they've generally ceased operations because of fears of a lawsuit.

        That in essence however is what we would need...some type of verification mechanism which can tell people in advance which hashes represent genuine files, and which don'
  • It's cute how these little troublemakers go around acting like mobsters with their techno threats. If we can send them money via wire transfer, then why isn't it possible to track that transaction and nail the collector ? Then you just go up the food chain and find his buddies. Sure, it doesn't solve the problem of botnets, but if you're able to take down enough of these kids to scare the others it could cause a significant reduction in frequency of DDoS attacks.

    I think we can agree that a self-respectin
  • This happened to EasyDNS [easydns.com] a while back. They ended up moving part of their DNS infrastructure behind Prolexic [prolexic.com], which appears to have helped.

    Prolexic is the brainchild of Barrett Lyon [google.com], who seems to have some experience fighting DDoS attacks. I'd be interested to see how well Prolexic's service actually works, but it seems technically sound to me.
  • I've been a happy Joker customer for years. I started having DNS issues the middle of last week so I fired them off an email asking them if they were experiencing a DoS attack. Here was their response:

    Dear Sir/Madam,

    thank you for your email.

    Unfortunately there is a DDOS Attack on Joker.com Nameservers.

    Joker.com currently experiences extremely massive distributed denial of service attacks against
    nameservers.

    This affects the DNS resolution of Joker.com itself, and also domains which use the Joker.com
    nameserve

fortune: cpu time/usefulness ratio too high -- core dumped.

Working...