NS1, a major DNS and traffic management provider that’s serving companies such as Imgur, Yelp, and MaxCDN, has revealed this week that it’s been facing an attack that started last week on May 16.
The company says the attack started small in the beginning, but as time passed, has grown in intensity and also varied the methods through which it bombarded the service’s infrastructure.
NS1 faces massive and persistent DDoS multi-vector attack
In athis past Monday, NS1’s CEO Kris Beevers reveals the company has faced over a dozen of DDoS attacks in the last few months, most of 20-30 Gbps, above the normal average, and blasting over 10-20 million packets per second. Beevers says that, most of the time, attacks were repelled without any downtime to its customers.
However, during the past week, things were very different, with attackers combining different tactics such as high volume DDoS traffic, malicious direct DNS queries, random label attacks, and malformed packet attacks.
Beevers’ revelation fits in the discoveries of a Neustar report that pointed out that DDoS attackers arein order to defeat classic DDoS mitigation solutions.
Neustar’s assessment was correct because NS1 admitted to being overwhelmed, which affected some of its customers in the first two days. Furthermore, the attack’s target also shifted very rapidly across NS1’s infrastructure, moving from servers in Asia to the US, and then to Europe, where most of the malicious traffic landed.
The attackers targeted all of NS1’s infrastructure
The attack targeted the company’s Managed DNS delivery network, NS1’s official website, the system status report website, and third-party services integrated into NS1’s customer command-and-control systems.
After dealing with this attack for over a week, the company’s CEO says that it’s clear that these action didn’t target any of its customers but were intentionally aimed at NS1 as a whole.
“Patterns observed in the direct DNS attack traffic indicated the attacker had advanced knowledge of NS1’s customers, likely obtained by controlling compromised DNS resolvers operated by one or more ISPs, and was targeting the platform broadly, not attempting to bring down any individual customer,” Beevers explained.
Currently, the company does not have any clues as to who may be behind this situation and says the attack is raging strong. By going public this Monday, the company also wanted to reassure customers that it implemented better DDoS mitigation solutions and that even if it recorded some downtime in the first days of the attack, they deflected most of the subsequent garbage traffic.