[UPDATE: 12:54AM Jan 08] The attack traffic is still coming in fairly heavily. We are working on a couple of avenues of adjusting our defenses.
[UPDATE: 2:33AM EST Jan 08] DNS1 is back online. dns2 has been mostly online througout most of this. We are now working on dns3. ]
[UPDATE: 3:17AM Jan 08] We have rerouted dns3.easydns.CA and dns3.easydns.ORG to dns4.easydns.info for now. We will be bringing the main DNS3 anycasts back up Sunday during the day.
We think the worst is over for today’s DOS attack which hit us on dns1.easydns.com, dns2.easydns.net and dns3.easydns.org (and dns3.easydns.ca) anycast constellations.
The attack was a multi-faceted multi-gig combination of SYN, ICMP and DNS Flood.
DNS1 and DNS3 totally imploded. DNS1 is coming back in pieces, DNS3 is still down hard.
DNS2 went down when the attack first hit, but Prolexic was able to bring enough of it back up after 30 minutes or so to restore partial service.
We are working on bringing the rest of DNS1 up, and a workaround to route DNS3 traffic elsewhere until the attack traffic abates.
On that note, the target of the attack has been identified and has removed its nameserver delegation from us. Until about an hour ago there were still nameservers reporting our nameservers as the delegation for the target domain. Now that those are gone, we expect the attack traffic to drop.
I also by accident pulled our previous post on this subject back into draft mode, making it invisible on the blog, because I meant to revoke my (now, seemingly idiotic “Save the Elephants” post), which I hit publish on almost the exact moment the attack started. Because it’s been that kind of a day.
This isn’t the post-mortem. I will post that later. Just wanted to update everybody with where we’re at.
There will be serious, structural changes here as a result of today. The worst DOS attack impact we’ve suffered since 2005.