Analysis: Attack Cripples EditDNS, Underscores DDoS Danger In Cloud
The provider sent out an e-mail to customers late yesterday detailing the crippling effects. The attack was leveraged against the provider over the course of the past several days.
EditDNS' e-mail is blunt about the impact the DDoS attack had:
"As this attack was very big, it was a huge blow to the EditDNS project. It was very time-consuming and very expensive to filter out the attack, pay for bandwidth overages, and add new equipment/servers. "
Repercussions from the attack linger. EditDNS still has two out of five nameservers down. The attack consumed so much time and expense that EditDNS has now been forced to change its business model. Ninety-eight percent of its customers use the free DNS hosting option, and many of these customers have business-oriented Web sites. EditDNS is opting to only offer "vanilla" DNS for free, meaning no advanced features like URL forwarding or mail forwarding, something that customers using the free service were able to take advantage of.
EditDNS is attempting to keep basic DNS hosting service free for the private, non-business home user, while any business users would have to use the subscription-based service.
So not only has EditDNS had to invest in battling the DDoS attack; the provider also stands to lose customers who may be disgruntled about the service changes.
DDoS attacks are infamous for being hard to defend against. It has been estimated that some botnets have a jaw-dropping 2 millions bots within them. It's no small wonder that YouTube, Twitter, Google, LiveJournal and Facebook have all buckled under the massive amount of requests from botnets flooding their networks. Twitter, in particular, seemed to be the least prepared and most affected by last month's massive attack.
DDoS attacks are cyber-tsunamis with the potential to wreak economic havoc as more and more businesses become dependent on cloud-based services. So why does it seem as though security vendors are not addressing DDoS enough? Most security vendors have stated the best protection against DDoS is ensuring that a PC is up-to-date with security software and patches; this protects that PC from becoming a "zombie" accomplice to the botnets perpetrating these kinds of attacks.
Is that enough, though? When you have a platform like Twitter or EditDNS, which are used by millions of users on millions of PCs worldwide, is it at all reasonable to expect any facet of security be in large part the responsibility of the end user? Yes, users can be encouraged and pleaded with, but there simply isn't much in the way of controlling what users do with their personal machines.
Vendors like Cisco have led the way in developing architecture in Cisco switches to fight not only DoS but DDoS attacks. However, if you look for dedicated appliances to battle DDoS, you would be hard-pressed to find any beyond devices offered by vendor RioRey.
As we continue the evolution from a localized computing society to a cloud computing one, it becomes pertinent, especially for businesses using cloud services, to ask providers to outline their defenses and mediation strategies in the wake of a DDoS hit. Perhaps even demand that strategy be detailed in a contract. EditDNS' scramble to regain footing is unfortunate, but it may be good lesson for the rest of us.