The Go Daddy Group Inc has been hit by a massive distributed denial of service attack that took down many of its customers’ websites and other services for several hours.
The company, the largest registrar of internet domain names and one of the largest web hosting providers, said it was the subject of large-scale, sophisticated attacks that lasted four to five hours.
Services hosted at one of the company’s data centers suffered sluggish or zero response times as a result. Its other data centers were unaffected.
GoDaddy chief information security officer Neil Warner told us that the attack was a SYN flood that targeted a particular under-protected service. We have agreed not to name the targeted service, at the request of GoDaddy.
Other services that are hosted at the targeted data center, including many customer websites, were also affected.
This was a little different for us, Warner said. Usually when we see a DDoS, somebody’s mad at a particular hosting customer… We’re probably always under a DDoS attack of some kind.
The attack started at 6.50am Arizona time but it was clearly not, as some had speculated earlier in the day, a technical glitch caused by the unusually early switch to Daylight Savings Time in the US.
It’s not beyond the bounds of possibility that the attacker chose yesterday morning to attack because GoDaddy had been criticized in the media on Friday for its unclear position on patching its servers to the new DST schedule.
Under recent US energy legislation, DST, in which the clocks spring forward one hour, was pulled forward to March 11, the second Sunday in March, rather than the first Sunday in April, which this year is April 1.
GoDaddy is based in Arizona, a state unusual in that it does not observe the switch to DST.
Warner declined to speculate on the motive for the attack. His team is poring over packet captures to see if they can determine the source or motivation.
Dozens of bloggers and web forum posters complained yesterday that their websites had gone dark for one or more hours. Some claimed to be losing money due to the downtime.
According to Warner, the affected service was seeing 70,000 packets per second at the height of the attack. For comparison, that’s about 20,000 more packets per second than the SYN flood that took down The SCO Group’s website in 2003.
Ordinarily, the GoDaddy infrastructure would be able to handle such an attack, but the attacker appeared to have found a weak spot.
A SYN flood is a well-documented form of DDoS attack that exploits the three-way handshake involved in setting up a TCP-IP conversation.
In normal TCP-IP handshakes, the computer initiating a connection sends a SYN, for synchronize, packet. The recipient sends back a SYN-ACK, or synchronize acknowledgement, to which the sender responds with an ACK, for acknowledgement.
In a SYN flood attack, the attacker spoofs the IP address of the SYN packet’s source, so that SYN-ACKs are never responded to, and the victim’s resources are tied up managing tens of thousands of bogus sessions.
Warner said his security and network teams managed to contain the problem and put preventative measures in place to mitigate future attacks.