Lewis' Blog Tales from the trenches of information technology


Fallout from GoDaddy’s recent DDoS experience

Download PDF

First, my heartfelt condolences to everyone who was impacted personally or financially by yesterday's DDoS attack against GoDaddy. That includes customers and employees, and as an admin, I know firsthand what it's like when the systems grind to a halt under one of these things, when all that's left is simply to put something else on the front line to check for traffic and wait it out (or request new address blocks all the way around). This, of course, does not take place in a vacuum: when these things hit, we are always surrounded by The Suits who have no clue as to why we can't do anything more (or faster), constantly complaining of our inadequacies (we should have known better; we should have predicted; we should have been better prepared; etc.).

Rosenthal & Rosenthal, LLC is a reseller under Wild West Domains, which in turn, sells under GoDaddy. We don't have any of our clients hosted (web or email) with them, and it's quite frustrating when some people seem to equate registering to DNS to hosting. One particularly lame site (to which I will not provide a link, as such fools should wither on the vine - and quickly) was explaining that "all one had to do" to circumvent the outage was to sign up for DNS services at another provider, and then "just log onto the current registrar and change delegation." Well, if the domain is registered through a site affected by GD's outage, that strategy isn't quite going to work...

The other idiotic "assumption" (with all that that en-tails) is that everyone who registers through GD is some sort of cheap, mindless, idiot. Do the math: $10/yr registrations vs $35-$50/yr at some other places - for exactly the same thing (nobody is totally immune to DDoS). Realize also that even if DNS is hosted elsewhere, at a certain point, caches expire, and the registrar must be located to determine the authoritative nameserver(s) for a given domain. If the registrar cannot be contacted, the finest DNS and web hosting money can buy won't do any better than a 486 running an old build of Slackware, connected to a dial-up ISP over a 33.6Kbps modem, and running its own copy of BIND.

At the top of every DNS "tree" is an NS record (well, a minimum of two, actually), located at the domain's point of delegation (typically, the domain's registrar). These record tell the querying client (or downlevel DNS resolver) who the authoritative nameservers are for the domain, and each of those nameservers should then have one SOA (Start of Authority) record in its zone file for the domain, along with matching NS records corresponding to the ones at the point of delegation (otherwise, the whole setup would be a free-for-all).

The problem is that when the point of delegation can't be reached, at some point, the cache of the nameserver data expires, and canonical names will not be able to be resolved to addresses.

Enough tech talk; what about the attack itself?

Some lone attacker (who has received enough free publicity on the net) has claimed responsibility for taking down all of GoDaddy's servers. I find it rather irresponsible of the majority of the media to simply take the word of some "tweeter" concerning what is obviously a rather complicated feat to accomplish.

While the act of creating a DDoS attack in itself is fairly simple, targeting one against such a large, widespread organization is considerably more difficult.

Also, it stands to reason that an enterprise the size of GoDaddy would have the ability to connect alternative links and update DNS in a much shorter period of time than it apparently took, unless a large group of attackers were monitoring and adjusting the attack (and no, that's not something I can see programming easily into a botnet, as it requires too much reasoning to stay on top of so many potential changes - GoDaddy has a lot of admins; a lot of them).

Comments (1) Trackbacks (0)
  1. From what I’ve just read on Domain Name Wire, and backed up by what is on GoDaddy’s site, the issue was indeed internal and not due to some massive DDoS attack.

Leave a comment

No trackbacks yet.