On Monday we had our first experience with a Distributed Denial of Service attack (DDOS). In our case, our name server came under attack. Wikipedia describes a DDOS in the following manner…
“A distributed denial-of-service (DDoS) attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. Such an attack is often the result of multiple compromised systems (for example a botnet) flooding the targeted system with traffic. When a server is overloaded with connections, new connections can no longer be accepted. The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines. This after all will end up completely crashing a website for periods of time…”
In our case it wasn’t that our website was singled out, it was our name server which host many websites came under attack. Below is the message we received as the attack was underway.
“[Account www.ccra.us affected] : Server #44 is under the DDOS attack (IP Nullrouted)
We have just received a HUGE (over 3GB/s incoming traffic) DDoS attack targeting Server #44 name servers. Our CISCO guard firewall was unable to handle such attack, so our name server IP addresses were disabled. As soon as the attack will subside, your website will start working again. We apologize for any inconvenience caused and thank you for your patience.”
The CCRA.US was down most of the day but in the following days we were back up as normal. So if in the future you find the website down, it may be due to a DDOS.