

Internet's DNS infrastructure been under attack for days. Anyone else noticed? - gabriele

This is an email I received from my DNS hosting provider after reporting an unusual spike in number of queries for one of my zones that has been being hit steadily by nearly 140k queries per day since November 29th.<p>Since November 29th, 2011, about 150,000 domains in [DNS hosting provider name] management have been under an ongoing DNS attack.<p>This is not an attack on [DNS hosting provider name], but actually attack on specific domains. We have confirmed this since we have moved many of these domains to different providers and the attack traffic has moved with it.<p>These attacks represent about 15% of all domains under [DNS hosting provider name]. These attacks tend to come for a few hours and then go away; but they do come back, and they are everyday. These DNS attacks are actual queries to live domains that [DNS hosting provider name] is authoritative for. Once again, these are an attack against the specific domain and not against [DNS hosting provider name].<p>The queries are coming from the Asia / Europe region and from multiple networks / peers / locations. Because of the location of the attack it is hitting many of our nodes. This traffic is hitting our name servers in Hong Kong, Los Angeles, San Francisco, San Jose, Frankfurt, and London.<p>[DNS hosting provider name] is not alone in noticing these attack. This same attack has been affecting many networks that host name servers worldwide.<p>You can read more about these attacks and how they are affecting other networks at:<p>https://lists.dns-oarc.net/pipermail/dns-operations/2011-December/thread.html#7852<p>starts at: https://lists.dns-oarc.net/pipermail/dns-operations/2011-December/007852.html<p>http://mailman.nanog.org/pipermail/nanog/2011-November/thread.html#42449<p>starts at: http://mailman.nanog.org/pipermail/nanog/2011-November/042449.html<p>http://seclists.org/nanog/2011/Dec/57<p>Once again, this is not an attack on [DNS hosting provider name]. This is an attack on hundreds of thousands of domains worldwide. As such, this attack is hitting all major providers and networks. The larger the provider, the larger the attack. Most providers are getting hit by about 100Mpbs to 200Mbps. In our case it is several Gbps at a time due to the vast number of domains we are authoritative for.<p>These attacks are legitimate queries to valid domain names on our systems.<p>You can think of this attack just like any other resource intensive attack. If someone requested your website millions of times, they would be using resources of your web host as well.
======
dangrossman
Is [DNS Hosting Provider] DNSMadeEasy?

4 of my domains seem to be part of this attack. The DNS query spike started on
the date mentioned in your links and I really didn't know what was going on.
Daily hits went from tens of thousands to hundreds of thousands.

To avoid going over my monthly quota at DME I was forced to move DNS for those
4 domains off my account and to my web hosting company.

I wish I had seen your post here earlier!

