EasyDNS is under DoS attack (opens in new tab)

(blog.easydns.org)

69 pointsnoodly14y ago18 comments

18 comments

18 comments · 10 top-level

noodlyOP14y ago· 2 in thread

Posting this thread here, because HN uses EasyDNS.

If you have problem accessing HN, here are IPs, that you can put in your /etc/hosts file:

   67.23.12.57      ycombinator.com
   174.132.225.106  news.ycombinator.com

or you can just wait, until attack is over.

fl3tch14y ago

Interesting. I couldn't access the site about 20 minutes go. Running "host news.ycombinator.com" returned nothing.

mike-cardwell14y ago

TTL for news.ycombinator.com A record is 20 minutes. Such a small value doesn't lend it's self well to DOS attacks against DNS servers. Useful if you need to change your DNS records quickly though.

tshtf14y ago· 1 in thread

I use EasyDNS, but this issue didn't affect me personally.

EasyDNS has built-in integration with Amazon's Route53, which will automatically push your DNS records to Amazon when you change them on the website. What I've done is used the 3 EasyDNS nameservers along with 3 from Route53. When one service is being DoS'ed, the requests will timeout and move to the next nameserver.

biot14y ago

Thanks for the heads-up. I wasn't aware of the service before and just implemented this.

For others, here's the gist. This assumes you've already got things setup for your domain in the route53 management console. In the easyDNS web interface:

  1. Menu "Your Info": edit, set the "Beta Access" to "Beta User"
  2. Menu "Preferences": set "Enable Route53 Support" to "Yes"
  3. Manage domain, Domain Overview, "External" tab, click "route 53"
  4. Fill in AWS Zone ID, Access Key ID, and Secret Access Key
     (you can create dedicated access/secret keys for EasyDNS)
  5. Click "Export from DNS" link and confirm

Then go to your registrar and add the additional nameservers to your domain. Once setup, every change you make in easyDNS will propagate to route53.

dangrossman14y ago· 1 in thread

I wonder if it's the same Chinese source as the attack on DNSMadeEasy in November and December? It was a multiple-gigabit, sustained attack on hundreds of thousands of domains. 4 of my domains were part of it, and I had to move them to another DNS provider to avoid going over my 10 million monthly queries limit.

I didn't really hear anything about it except from another DME customer that posted on HN. DME never even informed anyone about the attack.

rkalla14y ago

Dan, i have been curious about DME as a provider for a few months. Very interesting to read this, thank you for posting it.

AdamGibbins14y ago· 1 in thread

This seems to be affecting HN. I've found that when that occurs using http://hackerne.ws works fine.

mjb14y ago

The authority for hackerne.ws is domaincontrol (GoDaddy, apparently) while the authority for news.ycombinator.com is EasyDNS.

pors14y ago· 1 in thread

I couldn't access HN for a while because of it (all good now obviously)

wbhart14y ago

It's still an issue for me. I'm using the IP addresses for now. They say on their blog that this is likely propagation issues though.... and it's back.

anonfoobar114y ago· 1 in thread

What are the chances this DoS relates to the recent algorithmic-complexity vulnerabilities?

wbhart14y ago

Do you have a reference? You are not talking about the article to do with the US drone are you? Edit: oh I see you mean this: http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec...

vinhboy14y ago· 1 in thread

is there anything we can do right now, to fix this problem while the attack is under way?

paulmok14y ago

Yeah - I have just been able to mitigate by exporting to route53 (via their system) and then adding the additional route53 dns servers to the root chain. Ugh :(

Fortunately for me I had the aws identity already setup and just had to do a new "export" to update the records.

noodlyOP14y ago

Status of EasyDNS is also posted on twitter:

https://twitter.com/#!/easyDNS

There is more information about that attack than on status blog:

   "The attack is multi-faceted, multi-gb/sec SYN flood, ICMP and DNS flood.
    Working with Prolexic to get DNS2 back online ASAP"

   "We are still taking heat. We expect that to drop over time.
    We are still putting in mitigation and workarounds."

hwatson14y ago

The blog seems to have gone down. It's just a blog entry that says:

> We are currently experiencing an Denial of Service Attack against DNS1, DNS2 and DNS3 anycast strands.

> We are working on mitigation and will post updates as they become available.

michaelcampbell14y ago

Do these type of attacks typically occur from some state-run organized cluster of computers, or are they from zombied/infected "run of the mill" boxes on everyone's desktop?

j / k navigate · click thread line to collapse

18 comments

18 comments · 10 top-level

noodlyOP14y ago· 2 in thread

Posting this thread here, because HN uses EasyDNS.

If you have problem accessing HN, here are IPs, that you can put in your /etc/hosts file:

   67.23.12.57      ycombinator.com
   174.132.225.106  news.ycombinator.com

or you can just wait, until attack is over.

fl3tch14y ago

Interesting. I couldn't access the site about 20 minutes go. Running "host news.ycombinator.com" returned nothing.

mike-cardwell14y ago

TTL for news.ycombinator.com A record is 20 minutes. Such a small value doesn't lend it's self well to DOS attacks against DNS servers. Useful if you need to change your DNS records quickly though.

tshtf14y ago· 1 in thread

I use EasyDNS, but this issue didn't affect me personally.

biot14y ago

Thanks for the heads-up. I wasn't aware of the service before and just implemented this.

For others, here's the gist. This assumes you've already got things setup for your domain in the route53 management console. In the easyDNS web interface:

  1. Menu "Your Info": edit, set the "Beta Access" to "Beta User"
  2. Menu "Preferences": set "Enable Route53 Support" to "Yes"
  3. Manage domain, Domain Overview, "External" tab, click "route 53"
  4. Fill in AWS Zone ID, Access Key ID, and Secret Access Key
     (you can create dedicated access/secret keys for EasyDNS)
  5. Click "Export from DNS" link and confirm

Then go to your registrar and add the additional nameservers to your domain. Once setup, every change you make in easyDNS will propagate to route53.

dangrossman14y ago· 1 in thread

I didn't really hear anything about it except from another DME customer that posted on HN. DME never even informed anyone about the attack.

rkalla14y ago

Dan, i have been curious about DME as a provider for a few months. Very interesting to read this, thank you for posting it.

AdamGibbins14y ago· 1 in thread

This seems to be affecting HN. I've found that when that occurs using http://hackerne.ws works fine.

mjb14y ago

The authority for hackerne.ws is domaincontrol (GoDaddy, apparently) while the authority for news.ycombinator.com is EasyDNS.

pors14y ago· 1 in thread

I couldn't access HN for a while because of it (all good now obviously)

wbhart14y ago

It's still an issue for me. I'm using the IP addresses for now. They say on their blog that this is likely propagation issues though.... and it's back.

anonfoobar114y ago· 1 in thread

What are the chances this DoS relates to the recent algorithmic-complexity vulnerabilities?

wbhart14y ago

Do you have a reference? You are not talking about the article to do with the US drone are you? Edit: oh I see you mean this: http://www.cs.rice.edu/~scrosby/hash/CrosbyWallach_UsenixSec...

vinhboy14y ago· 1 in thread

is there anything we can do right now, to fix this problem while the attack is under way?

paulmok14y ago

Yeah - I have just been able to mitigate by exporting to route53 (via their system) and then adding the additional route53 dns servers to the root chain. Ugh :(

Fortunately for me I had the aws identity already setup and just had to do a new "export" to update the records.

noodlyOP14y ago

Status of EasyDNS is also posted on twitter:

https://twitter.com/#!/easyDNS

There is more information about that attack than on status blog:

   "The attack is multi-faceted, multi-gb/sec SYN flood, ICMP and DNS flood.
    Working with Prolexic to get DNS2 back online ASAP"

   "We are still taking heat. We expect that to drop over time.
    We are still putting in mitigation and workarounds."

hwatson14y ago

The blog seems to have gone down. It's just a blog entry that says:

> We are currently experiencing an Denial of Service Attack against DNS1, DNS2 and DNS3 anycast strands.

> We are working on mitigation and will post updates as they become available.

michaelcampbell14y ago

Do these type of attacks typically occur from some state-run organized cluster of computers, or are they from zombied/infected "run of the mill" boxes on everyone's desktop?

j / k navigate · click thread line to collapse