[ISN] GoDaddy whacked by DDoS attack

From: InfoSec News (alerts@private)
Date: Mon Mar 12 2007 - 22:29:29 PST


http://www.cbronline.com/article_news.asp?guid=D137B95B-B05A-4838-A584-CD1DD71DDE26

By Kevin Murphy
12th March 2007

The Go Daddy Group Inc has been hit by a massive distributed denial of 
service attack that took down many of its customers' websites and other 
services for several hours.

The company, the largest registrar of internet domain names and one of 
the largest web hosting providers, said it was the subject of 
"large-scale, sophisticated attacks" that lasted four to five hours.

Services hosted at one of the company's data centers suffered sluggish 
or zero response times as a result. Its other data centers were 
unaffected.

GoDaddy chief information security officer Neil Warner told us that the 
attack was a SYN flood that targeted a particular under-protected 
service. We have agreed not to name the targeted service, at the request 
of GoDaddy.

Other services that are hosted at the targeted data center, including 
many customer websites, were also affected.

"This was a little different for us," Warner said. "Usually when we see 
a DDoS, somebody's mad at a particular hosting customer... We're 
probably always under a DDoS attack of some kind."

The attack started at 6.50am Arizona time but it was clearly not, as 
some had speculated earlier in the day, a technical glitch caused by the 
unusually early switch to Daylight Savings Time in the US.

It's not beyond the bounds of possibility that the attacker chose 
yesterday morning to attack because GoDaddy had been criticized in the 
media on Friday for its unclear position on patching its servers to the 
new DST schedule.

Under recent US energy legislation, DST, in which the clocks "spring 
forward" one hour, was pulled forward to March 11, the second Sunday in 
March, rather than the first Sunday in April, which this year is April 
1.

GoDaddy is based in Arizona, a state unusual in that it does not observe 
the switch to DST.

Warner declined to speculate on the motive for the attack. His team is 
poring over packet captures to see if they can determine the source or 
motivation.

Dozens of bloggers and web forum posters complained yesterday that their 
websites had gone dark for one or more hours. Some claimed to be losing 
money due to the downtime.

According to Warner, the affected service was seeing 70,000 packets per 
second at the height of the attack. For comparison, that's about 20,000 
more packets per second than the SYN flood that took down The SCO 
Group's website in 2003.

Ordinarily, the GoDaddy infrastructure would be able to handle such an 
attack, but the attacker appeared to have found a weak spot.

A SYN flood is a well-documented form of DDoS attack that exploits the 
three-way handshake involved in setting up a TCP-IP conversation.

In normal TCP-IP handshakes, the computer initiating a connection sends 
a SYN, for synchronize, packet. The recipient sends back a SYN-ACK, or 
synchronize acknowledgement, to which the sender responds with an ACK, 
for acknowledgement.

In a SYN flood attack, the attacker spoofs the IP address of the SYN 
packet's source, so that SYN-ACKs are never responded to, and the 
victim's resources are tied up managing tens of thousands of bogus 
sessions.

Warner said his security and network teams managed to contain the 
problem and put preventative measures in place to mitigate future 
attacks.


_________________________________________
Visit the InfoSec News Security Bookstore
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Mon Mar 12 2007 - 22:45:14 PST