UltraDNS Service Outages Amazon after DoS Attack
By Partho, Gaea News NetworkThursday, December 24, 2009
In a sudden Denial-of-Service attack on DNS provider to Internet’s major e-commerce companies, UltraDNS suffered an outage for an hour. The DoS attack on UltraDNS was felt by thousands of online shoppers in Northern California. The attack hit Amazon including sites using EC2 and S3 services resulting in slowdowns and outages. It also hit some of the other sites like Walmart.com, Gap.com, Second Life (Linden Labs), Salesforce.com, SomaFM.com, and Expedia.com. According to Jeff Barr, the Lead Web Services Evangelist at Amazon.com, tons of sites were offline during this period.
The DoS attack was confirmed by NeuStar, the company that offers DNS service under UltraDNS. According to them, the trouble commenced at about 4:45 p.m. PST (7:45 p.m. EST).
Allen Goldberg, VP of Corporate Communications for NeuStar said that Their alarms went off within our systems immediately.
As the alarms was raised NeuStar started mitigation. Goldberg said
We needed to understand the pattern and signatures of the attacks. It was not a straight forward attack.” Once the patterns emerged, the malicious traffic was filtered and things started to return to normal.
The DoS attacks were targeted at Palo Alto, San Jose, and California node locations. The incident resulted in disproportionately increasing number of DNS queries directed to these node locations. The additional node locations within the UltraDNS infrastructure didn’t incur the same attack symptoms. As the DNS provider is overwhelmed with malicious requests for IP addresses, the system was overloaded and this obstructed legitimate users from reaching their destinations.
NeuStar Network Engineering teams were able to apply filters and mitigate the malicious attack at 01:30 GMT. With the filters applied the attack traffic dipped significantly, before the attack finally ceased at 01:45 GMT.
In an interesting revelation, Goldberg said that they also noted that the seven other major node locations within the UltraDNS network were not interrupted during the DoS attack, and were successfully answering queries.
Further, Goldberg speaking for UltraDNS Support Team, said that there is currently an investigation into the attack and its source.