DNS provider NS1 hit with multi-faceted DDoS attacks

Early last week, DNS and traffic management provider NS1 was hit with a series of DDoS attacks that lasted several days, and managed to impact DNS delivery in the European, American and Asian region.

“Over the course of last week, we sustained dozens of large DDoS attacks, ranging in strategy from simple volumetric attacks, to complex direct DNS lookup attacks, to concentrated attacks against our upstream network providers and other vendors. These attacks are an escalation above and beyond a recently observed increase in malicious activity broadly targeting the DNS, CDN, and internet infrastructure industries,” Kris Beevers, the company’s CEO, explained in a blog post.

The chronology of the attacks reveals a series of adjustments to the company’s mitigation strategies.

The attackers, whose identity is so far unknown, definitely targeted NS1, and not one of its customers.

“This is clear for a number of reasons,” he says. “The attackers targeted not just our Managed DNS delivery network, but many other resources used by our platform and customers, including the hosting provider of our ns1.com website, the third party DNS and hosting providers of our system status website (our apologies and thanks to StatusPage.io, who handled the situation like pros), providers of core NS1 command-and-control systems used by our customers, and more.”

“In addition, patterns observed in the direct DNS attack traffic indicated the attacker had advanced knowledge of NS1’s customers, likely obtained by controlling compromised DNS resolvers operated by one or more ISPs, and was targeting the platform broadly, not attempting to bring down any individual customer.”

They haven’t received any demands for payment from the attackers, and the motive for the attack is unknown, but they have called in law enforcement to aid in the investigation.

They’ve implemented their own mitigation tools and techniques, but they also had help from anti-DDoS vendor Zenedge in alleviating the onslaught.

Beevers notes that the biggest impact came from malicious direct DNS query traffic that was made to look like legitimate DNS traffic.

Website and application operators can also do something to mitigate the risk posed by DDoS against the DNS infrastructure, he added, and advised them to deploy redundant authoritative DNS delivery networks for critical assets.

“If your domains use only simple, ‘static’, RFC compliant DNS records then you can rely on the long established approach for introducing DNS redundancy: zone transfer between providers to enable a master-slave topology,” he pointed out.

“If your websites and applications use advanced features like traffic management tools, then you may consider implementing automation to generate synchronized configurations across multiple providers, pushing changes to their APIs – we have several customers who take this approach. Alternatively, some providers can help you deploy multiple independent DNS delivery networks with a unified technology stack.”