XName.org down: largest DDoS they ever had
27th October 2006
Yesterday (October, 26, 2006) I found that the nameservers for my blog (ns0.xname.org, ns1.xname.org) are not responding.
Today the following message appeared on xname.org:
XName currently DOWN
XName is temporarily closed since 08:00PM CEST yesterday evening. We were experiencing the largest DDoS we ever had on both ns0 and ns1 IP addresses, forcing our upstream providers to cut off XName servers in order to preserve their other customers.
We’re working hard in order to have at least one DNS server answering ASAP, and we already negotiated with a premium transit provider to host one of our DNS servers shortly.
Currently my blog is back online, available by its name, and not by IP.
But I am looking for other free NS-record hosting servers (xname-like). I would appreciate if people comment with their experience on managing this problem. I temporarily allowed comments for anyone without registering (but with moderation).
Meanwhile there are two places for Russian speaking folks to register secondary DNS: ns2.trifle.net, secondary.net.ua. Soon I’ll register secondaries there, leaving primary on xname, which was a stable service up until yesterday’s DDoS attack they had.
update:
Update: Sat. 28. 12:00 – ns0 is up and running, serving all zones correctly
update 2:
Update: Mon. 30. 18:00 CEST – ns1 is up and running, reachable from Association Kazar’s network peers (ns1 IP is still blacklisted on upstream transits backbones)
update 3:
xame.org is back online, fully functional.
update 4:
See the List of free DNS services.
I’m staying with xname, though did add a couple of secondaries for better fault protection.
update 5:
See the comments to this post for new technical information about the DDoS attack, including IP addresses of the attackers and some packet statistics. Thanks Boris for the new information.
new attack. On the 14th of January, 2007, I got the following letter from XName team:
DDoS attack on both DNS servers
Our both DNS servers IPs – ns0.xname.org and ns1.xname.org – are under heavy DDoS since 5PM CEST today.
Consequently, both of them are unreachable – except very intermittently.
We’re working with our transit providers to solve this ASAP.
Next day (2007-01-15), XName was up and running:
Resuming normal operations
Since 2AM CEST both ns0 and ns1 were answering correctly – many thanx to
our transit providers for their help on this issue.the total outage of our service was 7 hours…
one more attack on the 1st of October 2007 (started on the 30th of September):
both ns0 and ns1 DNS servers are under DDoS attack since 10PM (gmt+2) yesterday (September, 30th), ns0 is unreachable since 6AM this morning (October, 1st: total saturation of our uplink).
ns1 is fine but was off 3 hours today (October, 1st), between 2PM and 5PM.
I wonder what kind of a mentally sick person would attack the free service…
For any further X-Name attack updates and history, please refer to the comments below.
January 2nd, 2007 at 1:32
КÑтати, они флудировали Xname из роÑÑийÑкой ISP в КраÑноÑÑ€Ñке :/
January 2nd, 2007 at 12:44
Ргде об Ñтом Ñообщали? Я бы добавил Ñюда подробноÑти…
January 2nd, 2007 at 20:26
на приватний канал IRC где Ñ Ð±Ñ‹Ð²Ð°Ð», а Ñотовой админитратор Ñказал :
Oct 27 06:14:29 xname : dead
Oct 27 06:15:09 DDoS depuis hier
Oct 27 06:15:20 dès qu’on essaye de remttre les NS up on se fait DDoS
Oct 27 06:16:21 UDP flood sur le port 53 des deux NS
Oct 27 06:16:46 donc clairement non filtrable
Oct 27 06:17:01 sur 10000 à 30000 ip sources différentes
Oct 27 06:32:55 bah mercredi on a eu un ddos sur xname en icmp type 0
Oct 27 06:33:04 ca a duré 1h est c’est passé
Oct 27 06:33:05 la…
Oct 27 06:33:14 ca doit être de putains de botnets de merde
Oct 27 06:33:20 qui nous casse les pieds
Oct 27 07:02:12 bon
Oct 27 07:02:13 y a un des connard qui emmerde xname qui est : 213.148.160.20
20.160.148.213.in-addr.arpa domain name pointer dc.natm.ru.
Oct 27 07:02:32 340352 packets en 5 minutes
Oct 27 07:03:39 Xname est down because DDoS depuis hier soir 19h
Oct 27 07:08:22 non en fait… je suis aussi l’admin du reéseau kheops qui herge kazar et xname
Oct 27 07:08:32 et ca c’est les traces netflow
Oct 27 07:08:40 # bgpctl sh ip bgp as 16301
Oct 27 07:08:40 flags: * = Valid, > = Selected, I = via IBGP, A = Announced
Oct 27 07:08:40 origin: i = IGP, e = EGP, ? = Incomplete
Oct 27 07:08:40 flags destination gateway lpref med aspath origin
Oct 27 07:08:40 *> 84.242.192.0/18 213.163.173.46 100 0 20917 3257 25462 8997 16301 i
Oct 27 07:08:40 *> 213.148.160.0/19 213.163.173.46 100 0 20917 3257 25462 8997 16301 i
Oct 27 07:08:49 vu qu’ils ont deux subnet
Oct 27 07:09:00 je vais refuser toute annonce de l’as16301
Oct 27 07:09:03 et on verra
Oct 27 11:29:45 vt: j’ai 30Mbps qui vient de ces ips : 211.226.22.39, 219.138.151.156, 124.101.96.180, 58.70.87.229, 61.208.120.76, 219.134.185.188, 193.255.70.128, 70.83.237.133
Oct 27 11:50:09 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes pps bps Bpp Flows
Oct 27 11:50:09 2006-10-27 17:30:00.000 299.000 UDP 211.226.22.39:2344 -> 195.234.42.1:53 …… 0 590592 333.7 M 1975 8.9 M 592 4614
Oct 27 11:50:10 2006-10-27 17:30:00.000 299.000 UDP 219.138.151.156:36082 -> 195.234.42.1:53 .AP… 0 291200 165.8 M 973 4.4 M 597 2275
траффик на графе (у Ð¼ÐµÐ½Ñ Ð³Ñ€Ð°Ñ„ на другом компьюторе – Ñ Ñ‚ÐµÐ±Ñ Ñдаю) : 680 Mbit/s
Я отправил E-mail админа natm.ru и мне Ñказали :
«
From: “Sergey Goncharov”
Subject: Re: DDoS na XName
Добрый день, ВаÑилий.
Да, мы в
ИÑточник уже локализован.
ПриноÑим Ð¸Ð·Ð²Ð¸Ð½ÐµÐ½Ð¸Ñ Ð·Ð° беÑпокойÑтво.
С уважением, Сергей Гончаров
ООО “Ðовгород Дейтаком”, ÑиÑтемный админиÑтратор
»
May 3rd, 2007 at 16:52
[...] Now, let’s move on to actual caching. The simplest and quite reliable method of identifying any object within your cache is md5(url) – that is, the hash of the request URL. Note, that you might want to hash not the complete URL (starting with http://), but only the part after the TLD’s slash, e.g. for complete URL http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html you would hash only the “xnameorg-down-largest-ddos-they-ever-had.html” part (or “2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html”, if the filename part of the path might be non-unique). Evidently, this will save you from generating cache both for “http://www.bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html” and for “http://bogdan.org.ua/2006/10/27/xnameorg-down-largest-ddos-they-ever-had.html” (differing only in “www.” part). [...]
October 1st, 2007 at 21:41
[...] Update: this is in fact XName-related problem: they are again under DDoS attack. [...]
October 9th, 2007 at 20:00
Possible new attack on XName servers – 9 October 2007
DNS resolution from ns0.xname.org was lost at 17:09 BST (16:09 GMT). ICMP was lost at 16:05 BST.
ns1.xname.org is still resolving although ICMP has been intermittent since 16:59 BST.
I have not received any information from XName. This is information I have gathered through my own monitoring.
HTH
Aidan
October 9th, 2007 at 23:33
Aidan,
thanks for sharing information. Did you check manually, or have some (semi-)automatic means for checking? I didn’t notice any problems, but that is because I was too busy to have a look at my sites for several days in a row.
I must say though, that I did get an email. Here it is:
I got this email on the 9th of October at 23:00 gmt+2 from the XName-Availability mailing list.
October 9th, 2007 at 23:55
I’m monitoring Ping responses from and DNS requests to ns0 and ns1 using Nagios. I started doing this following the outage on the 1st.
I’ve subscribed to the xname list but haven’t had my e-mail yet so thanks for confirming the problem.
regards,
Aidan
October 10th, 2007 at 22:03
May 25th, 2008 at 12:06
[...] XName is down again [...]
September 5th, 2010 at 9:27
it’s now down again