[Outages-discussion] [outages] NeuStar UltraDNS ? ** Why DDOS Neustar?

Michael Christian mchristi at yahoo-inc.com
Wed Jul 11 17:15:36 EDT 2012 

3 common reasons why companies like NeuStar get's DDOS'd:

1) To make a point or show off in the abuser community.  UltraDNS, by claiming to be the only DNS provider invulnerable to DDOS, has painted a big target on their chest.  The bad guys like to take pot shots at it.

2) Collateral damage.  Any multitenant service provider will tend to see collateral damage when one of their clients is attacked.  And those dependencies can get complicated.  Case in point: 
	a) Blue Security builds Blue Frog software, which autoreplys to spammers, spamming them back.
	b) Spammers get pissed, DDOS Blue Frog
	c) Blue Sec signs up with Prolexis for DDOS mitigation 
	d) Spammers DDOS Prolexis, at the DNS layer
	e) UltraDNS, who serves the DNS layer for Prolexis goes down
	f) Internet crumbles
No one ever meant to hurt UltraDNS directly (or Amazon, or any of their other customers who went down).  Blue Sec was the target, and the rest was just collateral damage.

3) Extortion.  "Wire me $1000 and I'll stop attacking you."  I don't know if UltraDNS has seen this, but we've definitely seen it at Yahoo.  Seriously.  $1000.

-Mike Christian
(ran DDOS mitigation at Y the last few years)


-----Original Message-----
From: outages-discussion-bounces at outages.org [mailto:outages-discussion-bounces at outages.org] On Behalf Of Jeremy Chadwick
Sent: Wednesday, July 11, 2012 12:56 PM
To: Joseph Jackson
Cc: outages-discussion at outages.org
Subject: Re: [Outages-discussion] [outages] NeuStar UltraDNS ? ** Why DDOS Neustar?

This question is basically unanswerable unless you have actual communication occurring with the individuals who are doing the DDoS.
You'd have to ask them why they're doing it.

The simple version is this: I imagine many people (individuals, small companies, large companies) rely on UltraDNS to act as their authoritative nameservers for their domain(s).

Malicious individuals want to take a site offline -- the reason doesn't matter (ever) because the effects are the same no matter what the reason (in fact there doesn't even have to be an incentive, it can be as simple as "some guy/guys were bored").  They look up the common denominator using dig and/or whois.  "Looks like they only use UltraDNS, with no other tertiaries..."  You can figure out the rest.  But as I said, the motive can be anything ranging from financial gain to boredom, so try not to get too caught up in pondering the reasons.  Sometime there isn't a reason.

-- 
| Jeremy Chadwick                                   jdc at koitsu.org |
| UNIX Systems Administrator                http://jdc.koitsu.org/ |
| Mountain View, CA, US                                            |
| Making life hard for others since 1977.             PGP 4BD6C0CB |

On Wed, Jul 11, 2012 at 12:38:03PM -0700, Joseph Jackson wrote:
> I always wonder what the motivation is behind doing a DDoS attack against someone like Neustar.  What would be the gain on taking them down?  I guess apart from corporate warfare but I find that to be kind of unlikely.
> 
> 
> 
> From: outages-bounces at outages.org [mailto:outages-bounces at outages.org] 
> On Behalf Of Kuzmowycz, George
> Sent: Wednesday, July 11, 2012 2:14 PM
> To: 'frnkblk at iname.com'; 'Randy Johnson'; outages at outages.org
> Subject: Re: [outages] NeuStar UltraDNS ?
> 
> UltraDNS just sent an e-mail to customers that they are under a DDoS that took down their Hong Kong node.
> 
> "We are proactively defending the attack on our network and working with our upstream telecommunications providers to further mitigate the traffic originating from their networks."
> 
> From: outages-bounces at outages.org<mailto:outages-bounces at outages.org> 
> [mailto:outages-bounces at outages.org] On Behalf Of Frank Bulk
> Sent: Wednesday, July 11, 2012 2:48 PM
> To: 'Randy Johnson'; outages at outages.org<mailto:outages at outages.org>
> Subject: Re: [outages] NeuStar UltraDNS ?
> 
> Is the issue with DNS, accessing their site, or something else?  Can you share some more details?
> 
> Frank
> 
> From: outages-bounces at outages.org<mailto:outages-bounces at outages.org> 
> [mailto:outages-bounces at outages.org] On Behalf Of Randy Johnson
> Sent: Wednesday, July 11, 2012 1:36 PM
> To: outages at outages.org<mailto:outages at outages.org>
> Subject: [outages] NeuStar UltraDNS ?
> 
> Anyone using Ultra DNS ?
> Are you seeing issues ?
> 
> >From our side, Ultra appears to be up/down/up since about 0900 PDT today.
> 
> This communication, including attachments, is confidential and may contain proprietary information intended only for the proposed recipient. Please notify the sender and delete this message if you believe that you have received this message in error or if you are not the proposed recipient. Unauthorized disclosure, copying, or distribution of the information is strictly prohibited. Please also be aware Avalara does not provide client-specific tax management advice. Recipients seeking advice on specific tax matters should conduct their own due diligence and seek advice from a qualified tax practitioner before relying on any information contained herein.

> _______________________________________________
> Outages-discussion mailing list
> Outages-discussion at outages.org
> https://puck.nether.net/mailman/listinfo/outages-discussion

_______________________________________________
Outages-discussion mailing list
Outages-discussion at outages.org
https://puck.nether.net/mailman/listinfo/outages-discussion

More information about the Outages-discussion mailing list