Major DNS provider NS1 has acknowledged a string of DDoS attacks from an unknown assailant. CEO Kris Beevers has detailed the “rare degree of sophistication and scale” exhibited by a “determined attacker” in a carefully planned assault that took place in the early hours of Monday, May 16.
This sustained series of attacks utilized a variety of techniques, and caused outages for some on NS1’s customers, according to a blog post published by Beevers. However, the company believes that it was the intended target, rather than any of the groups or individuals that make use of its services.
That raises a question. Why? A sophisticated attack usually has a goal, but targeting NS1 itself doesn’t specifically damage any organization aside from the DNS company. And it’s hard to see why an attacker would hold a grudge against it.
DNS servers contain the names and IP addresses of websites. When your web browser tries to access a site, it contacts a DNS server to make the connection — that server completes the request if possible, and otherwise it passes the request along the hierarchy toward another that can.
DDoS attacks on a server could result in outages and increased loading times for individual sites that use its services. NS1’s list of clients includes high-profile, high-traffic outlets like Imgur.
Of course, NS1 is always subject to some amount of attacks, so the company is well-versed in the best methods to respond to such situations and protect their interests. Whereas attacks often measure less than 10 Gbps, the worst parts of last week reached volumes between 30 and 50 Gbps, according to a report from Ars Technica.
These attacks came in the form of programatically generated DNS lookup requests sent to NS1’s name servers, reaching highs of 60-70 million packets submitted per second. While these requests appeared to be legitimate, they referred to host names that don’t exist.
NS1 is already working on reinforcing its defenses, and is currently carrying out an in-depth analysis of these attacks. The company is advising nervous customers to consider deploying redundant authoritative DNS delivery networks, as there’s a diminished chance that both servers would be affected concurrently.