EveryDNS Under Botnet DDoS Attack

The 400mbps botnet attack did not affect the core recursive DNS resolution service offered by OpenDNS but the company's home page and corporate blog were crippled for about 90 minutes on Dec. 1.

The attack appears to be targeting EveryDNS, a sibling business owned and operated by OpenDNS CEO David Ulevitch. OpenDNS uses services from EveryDNS.

At 10:00 a.m. EST on Dec. 2, EveryDNS said the sustained attack continues. "[It] is currently being mitigated and service is restored. All services are under close watch by a team of network administrators around the world," according to a note on the home page.

The last time the Web mob (spammers and phishers using botnets) decided to go after a security service, Blue Security was forced to fold and collateral damage extended to several businesses, including Six Apart.

UPDATE, 12:55 p.m. Eastern:

Just got off the phone with a sleep-deprived Ulevitch, who worked through the night with folks from nLayer and BitGravity to head off the attack with high-level traffic filtering.

The attack started sometime Friday afternoon and, from all indications, was targeting Web sites that used the free DNS management services. "We were collateral damage," Ulevitch explained. "They were going after the DNS provider of these sites and we took the brunt of it."

At the height of the DDoS bombardment, EveryDNS was being hit with more than 400mbps of traffic at each of its four locations.

Because law enforcement is involved, Ulevitch was hesitant to release details of the actual target but there are signs that some of the targets were "nefarious domains" that have since been terminated.

The attack continues but it's been largely contained through high-level traffic filtering and some nifty architection tricks at the DNS level.

"The bigger problem is that the network providers are hesitant to do any real filtering. They just prefer to block the traffic to stop the attack but that's exactly what the attackers want. They want to knock you offline and the network providers take the easy way out and the attackers accomplish their goal," Ulevitch said.

Although EveryDNS has been hit by DDoS attacks in the past, he said this was the first "major outage" in five years.

Ulevitch said PhishTank, which uses its own DNS, was not affected. "I've always been concerned about PhishTank being a big target [for these kinds of attacks] but, in this case, we took a hit because someone else was the target."

"We've figured out who these targets were and we've terminated a bunch of domains. We don't want to be the free DNS providers for miscreants on the Internet," he added.