[ISN] Blue Security Kicked While It's Down

From: InfoSec News (isn@private)
Date: Fri May 19 2006 - 00:15:54 PDT


By Brian Krebs 
May 17, 2006

Hours after anti-spam company Blue Security pulled the plug on its
spam-fighting Blue Frog software and service, the spammers whose
attack caused the company to wave the white flag have escalated their
assault, knocking Blue Security's farewell message and thousands more
Web sites offline.

Just before midnight ET, Blue Security posted a notice on its home
page that it was bowing out of the anti-spam business due to concerted
attacks against its Web site that took millions of other sites and
blogs with it. Within minutes of that online posting, bluesecurity.com
went down and remains inaccessible at the time of this writing.

According to information obtained by Security Fix, the reason is that
the attackers were hellbent on taking down Blue Security's site again,
but had trouble because the company had signed up with Prolexic, which
specializes in protecting Web sites from "distributed
denial-of-service" (DDoS) attacks.

These massive assaults harness the power of thousands of hacked PCs to
swamp sites with so much bogus traffic that they can no longer
accommodate legitimate visitors. Prolexic built its business catering
to the sites most frequently targeted by DDoS extortion attacks --
chiefly, online gambling and betting houses. But the company also
serves thousands of other businesses, including banks, insurance
companies and online payment processors.

For the past nine hours, however, most of Prolexic's customers have
been knocked offline by an attack that flanked its defenses. Turns out
the attackers decided not to attack Prolexic, but rather UltraDNS, its
main provider of domain name system (DNS) services. (DNS is what helps
direct Internet traffic to its destination by translating
human-readable domain names like "www.example.com" into numeric
Internet addresses that are easier for computers to understand.)

UltraDNS is the authoritative DNS provider for all Web sites ending in
".org" and ".uk," and also markets its "DNS Shield" service designed
to help sites defend against another, increasingly common type of DDoS
-- one that targets weaknesses inherent in the DNS system.  
(Incidentally, UltraDNS was recently acquired by Neustar, which in
turn is responsible for handling all ".biz" domain registrations, and
for overseeing the nation's authoritative directory of telephone

In this case, at least, it does not appear that the DNS Shield service
worked as advertised. Earlier today, I spoke with Prolexic founder
Barrett G. Lyon, who told me the attack on UltraDNS had knocked about
80 percent of his company's clients offline, or roughly 2,000 or so
Web businesses. Most of those businesses also remain offline as of
this writing.

According to Lyon, the unknown attackers hit a key portion of
UltraDNS's network with a flood of spoofed DNS requests at a rate of
around 4 to 5 gigabits per second, which is enough traffic to make
just about any Web site on the Internet fall over (many Internet
routers can handle only a few hundred megabits of traffic before they
start to fail). But this was no normal DDoS attack-- it was a kind of
DDoS on the DNS system that security experts say has become alarmingly
more common over the past six to eight months.

Known as DNS amplification attacks or "reflected DNS attacks," these
kinds of DDoS assaults increase the traffic hurled at a victim by
orders of magnitude. In a nutshell, the attackers find a whole bunch
of poorly configured DNS servers and use them to create and send
spoofed DNS requests from systems they control to the DNS servers they
want to cripple. Because the DNS requests appear to be coming from
other trusted DNS servers, the target servers have trouble
distinguishing regular, legitimate DNS lookups from ones sent by the
attackers. Sustained for long enough, the attack eventually overloads
the victim's DNS servers with queries and knocks them out of

To put the raw power of DNS amplification into perspective, consider
the attack that knocked Akamai offline in the summer of 2004. For
anyone unfamiliar with this company, Akamai sells a rather pricey
service that lets deep-pocketed companies like FedEx, Microsoft and
Xerox mirror their Web site content at thousands of different online
servers, making DDoS attacks against their sites extremely difficult.

Akamai was for a long time considered the gold standard until one day
in June 2004, when a DDoS attack knocked the company's services
offline for about an hour. Akamai never talked publicly about the
specifics of the attack, but several sources close to the
investigation told me later that the outage was the result of a
carefully coordinated DNS amplification attack -- one that was stopped
when the attackers decided they had made their point (which was no
doubt to demonstrate to would-be buyers of their DDoS services that
they could knock just about anyone off the face of the Web.)

So where am I going with all of this? Well, UltraDNS marketed its DNS
Shield as a protection against exactly these same types of
amplification attacks. Only in this case it doesn't appear to have
worked -- though, to be fair I haven't heard UltraDNS's side of the
story since they have yet to return my calls. No doubt they are busy
putting out fires. At any rate, score another one for the spammers, I


Update, 7:46 p.m. ET: I heard back from Neustar. Their spokesperson,
Elizabeth Penniman, declined to discuss anything about today's
attacks, saying only that "we have a handle on the situation and
continue to work with service providers to ensure the best possible
level of service to our customers."

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Fri May 19 2006 - 00:38:21 PDT