Security Experts:

Potent DDoS Attack Hits Managed DNS Provider NS1

For all of last week and continuing into this week, major DNS and traffic management provider NS1 suffered a continuing and complex DDoS attack from unknown attackers with unknown motivation. 

It started on Monday May 16 with a company incident report noting, "We are observing a DDoS attack against the NS1 platform." A complex series of status updates over the next two days noted the ebb and flow of the attack – largely contained but with some impact on customers. Approximately 40 hours later NS1 closed the incident, reporting "we are considering this incident resolved," but was forced to open a new incident later on the same day.

In a blog post on May 23, NS1 CEO Kris Beevers summarized the previous week's events. The managed DNS network, he wrote, "came under a series of concerted assaults from a determined attacker... persisting even now, we sustained dozens of individual attacks leveraging a variety of strategies, exhibiting a rare degree of sophistication and scale."

Over the last year, DNS has replaced HTTP as the most common service targeted by application-layer attacks. "The attack surface and available bandwidth in the global DNS environment is massive and highly susceptible to DDoS attack activity," explained Dave Larson, Chief Operating Officer at Corero Network Security. "This is the case in any large networking environment, really. More importantly, sophisticated, multi-vector, adaptive DDoS attack campaigns are becoming more common. These techniques are used to profile and map out existing security solutions, and then the volume is turned up, or additional techniques are added to the mix to overcome the defense mechanisms in place."

This describes the attack against NS1: a sophisticated, multi-vector, adaptive DDoS attack campaign. Beevers described it as "combining an unusual degree of complexity, velocity, and persistence." It mixed basic traffic floods with sophisticated malicious direct DNS queries, random label attacks and malformed packet attacks.

It was also mobile. The most persistent attacks were against NS1's European infrastructure, but they also migrated to the US and Asia. The complex and evolving nature of the attack was largely contained by NS1, but it did cause some loss of service to customers, particularly in Europe.

Beevers is confident that it was NS1 itself rather than any of its customers that were the target of the attack; but he doesn't know either the attackers or their motivation. "Attacks can be motivated by any number of things, ranging from political intentions to business motivations to outright malice," he wrote. "We will not speculate further. However, we have contacted the appropriate law enforcement authorities and are working with them to investigate."

One possibility is that this attack was a proof of concept for more to follow. It seems to have been well-planned. Beevers told Ars Technica that earlier this year NS1 "'and other friends in the CDN space saw as well — a lot of probing activity,' attacks testing for weak spots in NS1's infrastructure in different regions." This could have been the preamble to last week's attack, where Beevers says, "the primary customer impact came from malicious direct DNS query traffic designed specifically to look like legitimate DNS traffic. In some cases, this traffic resulted in service impacting load on our DNS delivery systems due to the unique nature and volume of the traffic."

One thing is certain. "DDoS attacks against critical infrastructure like DNS are not going away." But Beevers suggests that the solution might be horizontal rather than vertical. So far, DNS providers have have acted individually, each "continually evolving the scale and sophistication of our networks to match those of the attacks themselves." The solution for customers, however, is to build in redundancy. Right now this is difficult; but it is a problem he believes the industry can solve together. He hopes that his comments will escalate "the dialog among our peers in the DNS space and shift the discussion back toward solutions that enable our collective customers to leverage our powerful technologies interoperably, which will result in a more secure and better internet for all."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.