dns-poisoning

It has been an intense in terms of security week. First there was the announcement of the GHOST vulnerability bug. This issue was tackled within hours from the announcement of the bug as reported in our previou blog post – The GHOST Vulnerability – Questions & Answers.

Later the same day we have noticed that couple of our shared hosting servers were experiencing extraordinary high traffic issue. After some further review of the server logs it turned out to be a network attack originating from multiple networks across the globe. The servers were placed behind a mitigating device in order to ensure that the incoming traffic is well filtered and only legit requests are coming to the server.

connectionsrate

As you can see from the above graphic the number of established connections to one of the affected servers has been significantly increased on Wednesday at about 10:00am.  However as the mitigation device is only a temporary solution our system administrators and security specialists have found that a lot of attack requests are being returned with a 403 status code. The paths for those requests also were quite obvious too as the most common ones began with “/announce”.

Almost all of the invalid requests were coming from China which was a clear sign that this might be the effect of global DNS Poisoning or direct DDoS attack. Usually the best way to deal with such situations is to deny access to all IPs from China. However as a customer oriented company such act is simply not acceptable. To fix the issue we have blocked all “/announce” requests on all of our servers and now the issue has been resolved for good.

In the past couple of days there were different rumors that the issue was caused by some misconfiguration of the Great Firewall of China. However there are some reports that this blackouts were actually caused  by an attack on the Domain Name System (DNS) in China as reported by the DNSPod in their official tweet.

Currently the issue has been resolved for all of our clients. Unfortunately such global network attacks can not be predicted and when they occur it takes some time and efforts to find the best fix for them. However we are constantly monitoring all of our servers and such issues can not go under the radar of our security specialists.

Here is more resources reporting the issue:

Forbes – http://goo.gl/L7mTE7
Sucuri – http://goo.gl/ShphJe