Network Solutions, a domain name registry and web hosting company, suffered from two consecutive distributed denial of service (DDoS) attacks. According to Shashi Bellamkonda, the company’s spokesman:

Jun 21, 2011 @ 13:46: Network Solutions experienced a distributed denial of service attack Monday afternoon, June 20, 2011 and again on Tuesday morning, June 21, 2011.  Our engineers worked quickly to mitigate the attacks and services are in the process of being restored.  We continue to monitor this situation, as potential risk still exists for these attacks to recur.

Many of Network Solutions’ customers complained of website nonavailability, no access to servers and email. The problem continued to persist for many customers well into the evening when the company’s official blog posted an update saying they were still working on it to block dos attack.

A DDos attack can make things too muddy for IT experts to see properly and often, the solution to such an attack takes a bit of time. The last such DDoS attack on the company was carried out in January 2009 and the company was hit in a similar way. According to the most recent update, Network Solutions’ servers and services are back to normal and customers can access their servers, websites and email as usual.

A group of hackers calling themselves LulzSec (Lulz Security) has claimed that they created the problems which made the CIA website unavailable for most of Wednesday evening.

LulzSec claimed, via a tweet, that they had downed the CIA website.

Tango down – CIA.Gov - for the lulz.

This claim has yet to be confirmed since it is very difficult to tell, at this point, whether it was actually their mischief, a DDoS attack or the fact that the claim made hundreds of people flock to the website to see if it really was down.

The group had been guilty of, twice, hacking the Senate website earlier this week. According to LulzSec, they did it

just for kicks

They claim that their main aim is to help government and other websites realize and fix the flaws in their security. They have also accepted responsibility for the hacking of Sony, Bethesda, PBS.org, including the gaming sites Minecraft and League of Legends. The hackers have also opened up a help line to take requests for hacking.

The group’s motto:

“Laughing at your security since 2011.”

Hacktivists Anonymous Group hit the government of Malaysia hard yesterday (and today) with a distributed denial of service attacks. Anonymous has accused the Malaysian government of unwarranted Internet censorship.

The main website www.Malaysia.gov.my was down (and at the time of reporting of this article – is still down).  The official comment from the Malaysian Communications and Multimedia Commission (MCMC) said that attacks on various official Malaysian government websites had started and most of the attacks lasted a couple of hours. Almost all the sites affected were of .gov.my domain. The government was not able to block DDoS attacks.

The whiplash effect from Anonymous comes forth, after the MCMC unilaterally asked the various Internet Service Providers in Malaysia to block a dozen of so file and video sharing websites – citing copyright law violations.

Malaysia has remained relative uncensored in the the Far East and enjoys a relatively liberal Internet economy. The moves by MCMC is seen by many Malaysians as a slow but calculated move to slowly start censoring the Internet the way Malaysian government sees fit – an action that is not being digested well by many, especially the Anonymous Group.

The operation is being dubbed “Operation Empire State Rebellion” and it will coincide witht he Flag Day in the US (the Flag Day is 14th of June and commemorates when the national flag of the United States of America was adopted in 1777).

The Operation by Anonymous would most likely be in the form of distributed denial of service attacks.

Federal Reserve is so far keeping mum about the whole thing, no official reply from them.

Here is the video that Anonymous posted.

Update: 7:41 Saturday (GMT) – US Chamber’s moving their website to DoSArrest was supposed to help solve their issue of being able to sustain a DDoS attack. Well unfortunately that did not turn out in their favor. As of writing of this article, the website for US Chamber is still down, and the A record was pointing at DoSArrest.
Anonymous can literally cripple mitigation service providers with their DDoS attacks.

Unless you literally can sustain and process over 50Gbps and 20/30 Million PPS, it would be very difficult for some provider to claim that they can protect you against the wrath of anonymous DDoS Attacks.

Update: 21:43 Monday (GMT) – The website for US Chamber is hosted at Rackspace. (See traceroute below). This is very interesting because Rackspace’s TOS/AUP explicitly states if a denial of service attack occurs (inbound or outbound), they will suspend the user account, or even, remove the account from their system all together.

Rackspace doesn’t enjoy the fame of being a network provider that can adequately defend against DDoS attacks. Whilst they have Arbor Peakflow implemented, and other mitigation devices, they generally use these to get a better visibility into their network (during a DDoS Attack).

Lets see how the attack will play out and what sort of DDoS Protection mechanism Rackspace will have in place to mitigate the attacks.

Traceroute for www.uschamber.com (which is hosted at Rackspace)

8.9.232.73	  xe-5-3-0.edge3.dallas1.level3.net
4.69.145.12	  ae-1-60.edge2.dallas3.level3.net  
4.59.36.50	  rackspace-m.edge2.dallas3.level3.net  
72.3.128.72	  vlan904-guard4.dfw1.rackspace.net  
72.3.128.53	  vlan903.core3.dfw1.rackspace.com  
72.3.128.53	  vlan903.core3.dfw1.rackspace.com  
72.3.129.153	  aggr126a.dfw1.rackspace.net  
72.32.118.236	   -

The hacking group Anonymous has recently cited that its next target is now the US Chamber of Commerce for DDoS Attacks on its official website.

The controversy stems from the US Chamber which has been aggressively advocating and promoting a bill called “PROTECT IP). (read article by CNet on PROTECT IP Bill here)

The ‘Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property’ Act – ‘PROTECT IP’, for short – will allow US Justice Department officials to force ISPs and search engines to block access to web sites it believes to be infringing US copyright laws, and would require other companies such as advertising network providers and payment processors to cease doing business with them.

In order to obtain a preliminary court order that the site is ‘dedicated to infringing activities’, the Justice Department must show that a web site is directed at US consumers and harms holders of US intellectual property.

Source: Thinq_

The attack which will most likely be a distributed denial of service attack, would start at 20:00 Hours (Eastern Standard Time), today (23rd of May) at the Official website (http://www.uschamber.com).

No word from US Chamber of Commerce on how they plan to block this DDoS or if they have even contracted with some company for DDoS protection.

Societe Generale’s CERT (Computer Emergency Response Team) recently released an Incident Response cheatsheet (in the public domain) for DDoS Attacks. You usually don’t see much of these around.

The cheatsheet can be viewed/downloaded from here: IRM-4 DDoS (PDF 196K)

Societe Generale’s Official CERT Page can be accessed: at:
http://cert.societegenerale.com/en/

The article examines how the FBI is investigating Amazon’s EC2 involvement in the attack against Sony’s PSN (Playstation Network).

The article in full can be read here.

Update: 8:25 Sunday (GMT) – Services are pretty much all restored, however, www.DirectNIC.com is still being blocked from many overseas location. It seems like their provider InterNAP is enforcing some Geo-block, so certain countries cannot access their network.

Update: As of 14:27 Friday (GMT) – www.DirectNIC.com was still down, and customers still affected.

Domain registrar DirectNIC has been under a distributed denial of service attack for the past few hours.

The attack is causing domain name resolution failures and many of their clients are suffering because of this. UNjobs.org for example was one client that was affected.

A twitter feed by DirectNIC is updating (somewhat) about the DDoS Protection they have implemented and how they are now mitigating the attack.

Domains that have lost visibility, should come back up once the DNS servers are up and running and re-propagation starts again.

As of 12:48 GMT, their website is still down, and we have received quite a few email updates from some clients who are still affected by the DDoS.

Quite a few clients are getting frustrated. Their ticket system was knocked off, because it too uses DirectNIC’s DNS.

DNS Attacks can be very punishing. Queries are UDP based, and as with DNS servers, they can come in large numbers from other DNS servers. It becomes inherently very difficult to distinguish between a genuine IP and one that is sending a malicious IP.

In normal circumstances of a DDoS attack on a Web Server, one could simply ‘null-route’ the customer’s IP address, but in DirectNIC’s case, they cannot do this. In their case not one client is affect, but almost everyone they host and provide domain management for.

Not a pretty situation to be in. Wish them luck in having this resolved.

This informative article can be read in its entirety http://www.zone-h.org/news/id/4739.

Here are some relevant videos that explain in a heuristic sense of what distributed denial of service attacks are.

Arbor Networks – PeakFlow DDoS

How a DDoS Attack Works

Cloud Application security and acceleration services company CloudFlare [read this article on CloudFlare's offering], recently updated its blog on how it can mitigate DDoS Attacks for its clients.

The blog entry on a customer’s testimonial of being a DDoS attack recipient and how CloudFlare saved the day, can be read here.

CloudFlare, essentially can be categorized as a CDN (Content Delivery Network), but with an added difference, their edge-network that they have, provides the necessary application level security that is much needed for users. Though they do not clarify if they address the OWASP threats, the additional level of security is however, much welcomed.

When a DDoS happens, CloudFlare has the ability to detect botnet or malicious traffic and depending on your settings on the CloudFlare control panel, you can opt for Captcha based response (strict security) before the request comes forth to your server. You can read more about the various levels of security they provide here.

However, it must be clarified, CloudFlare does not pitch themselves as a DDoS Attack mitigation provider. They will mitigate by virtue of their setup, DDoS attacks, but it a large DDoS attack comes through, you’re in trouble. CloudFlare at one point int time (for large attacks), will not block DoS traffic.

CloudFlare’s setup is such that the Nameservers of your hosted Domain, is theirs. So if a large DDoS comes through, CloudFlare can manually, deactivate you from the cloud, and hence then all traffic will by-pass their network and go to your Web server directly (in which, you will directly be on the receiving end of the distributed denial of service attack).