The Byte Stops Here

Today, I received a letter from the President of DNSMadeEasy. I use their service, and have found it to be very powerful and far cheaper than their competitors. At first I was shocked to read they suffered a DDOS attack of the scale of 50GB/s. They have an illustrious 8 year 100% uptime that is now marred. However the letter I got was so refreshing and honest, I was amazed. See below (if this sort of thing interests you!).

*****

Dear DNS Made Easy Client,

On August 07, 2010 DNS Made Easy was the target of a large multi Gb/s attack against all of our name servers.   The attack started at 8:00 UTC and was fully mitigated by 14:00 UTC.  During this time period there were regional outages from some or all of our name servers.  Regional outages means that certain regions of the world were not able to resolve your DNS and other regions of the world were resolving normally.  When all name servers were not reachable a DNS query would have been lost, when some name servers were not reachable then DNS performance would have been slower than normal but still operational.

The regional downtime was in very small periods but it still did affect the overall resolution for all of our client's DNS.  It is for this reason that we are explaining the situation in full to all of our clients now.


1) How long were the DNS outages?
In some regions there were no issues, in other regions  outages lasted a few minutes, while in other regions there were sporadic (up and down) outages for a couple of hours.  In Europe for instance there was never any downtime.  In Asia downtime continued longer than other regions. In United States the west coast was hit much harder and experienced issues longer than the central and east coast.


2) Many clients have asked us if in fact there was downtime since they did not notice issues.
Many clients did not notice any DNS downtime.   In fact many clients would not have noticed this issue if we had not sent this email.  But we feel disclosure of this issue is something that we owe our client base. 
If you want to see if there is a significant loss of DNS queries you can quickly compare your daily queries from this Saturday to last Saturday in the DNS Made Easy control panel.  Overall query statistics comparing this Saturday's query load (minus attack traffic) to recent Saturdays' query loads shows that our servers properly responded to a query total this Saturday within a 2% difference from recent Saturdays.


3) Where did the attack come from?
We believe that the DDoS came from a botnet attack originating from Asia.  Most attack traffic originated in or transited through China.  The source IPs appear to be mostly spoofed but the vast majority are assigned by APNIC to Chinese Networks and Chinese ISPs.  Traffic levels reported to us by our bandwidth providers regarding their connections through which this traffic entered their networks also points to origins in Asia.


4) How large of an attack was this?
This attack hit levels that were so high that our Tier1 upstreams were suffering latency and network issues for other clients at many of their locations due to this attack.  This caused some of our Tier1 bandwidth providers to use their last resort response of null routing traffic to some of our IPs from some networks to prevent major service degradation to their core networks. 
Measuring the exact size of this attack is rather difficult.  However, discussions with our Tier1 bandwidth providers during the attack led to an estimate of 50 Gb/s in size.  This was based on reports of multiple 10Gb/s lines being saturated at multiple different providers in different geographic regions.
During our after-action discussions internally and with our providers after the attack was mitigated we analyzed all information available to us through monitoring systems and traffic reports and we revised our estimate of the attack size to be fluctuating between 20Gb/s and 40Gb/s during the attack.  We will never know the true size of this attack as we actively moved traffic around to different locations throughout the attack and IPs were temporarily null routed into and through various networks, and some traffic was blocked from provider to provider in response to the attack.
We do know that due to the service implication to the Tier1 providers, networking teams from China Netcom, China Telecom,  Level3, GlobalCrossing, Tiscali, and Arbinet were involved to stop the attacks.  Level3 and Arbinet both played special heroic roles in facilitating that the correct people were involved from all networks to make sure that the attack was stopped as quickly as possible.


5) How was this attack stopped?
Fighting attacks of this magnitude is very complex and a full answer involves much information that we do not want these criminals to know.  What we can say is that that we used a combination of routing techniques, DDoS mitigation tools, customized firewalls, and high level inter-provider negotiations.
China Netcom and China Telecom had to null route the name servers from their networks in order for the attack to not impact other traffic they had going to the United States. 


6) Will an SLA credit be issued?
Yes it will be.  With thousands paying companies we obviously do not want every organization to submit an SLA form.  Even though not all clients noticed the attack, we plan on issuing an SLA to every single paying DNS account.
You will be receiving an email about the SLA credit to your account in the next few days. 


7) Does this affect your 100% uptime history?
Yes, any service outage would result in loss of uptime.  We had a history leading uptime of over 8 years of 100% uptime.  With a calculated two hour outage (which is probably longer than we were actually down for anyone) this DDOS attack put our overall uptime history at a calculated 99.9999%.  This is still an excellent uptime history.


8) What would it take to get your 100% uptime history back?
That is mathematically impossible.  But we can work on increasing our 99.9999% uptime history and we will work hard on building another run of more than 8 years of 100% uptime.  We are confident that we can do it and we look forward to the challenge.


9) Would another DNS provider have been able to stop this attack?
We are sure that our competitors will claim that the answer is yes.  In fact we have been called by several of our competitors with very amusing phone calls during and after the attack asking us to update our website to say that we no longer have a 100% uptime history (which we have started and will complete soon).  This was a very large attack, so we do not believe that other DNS services could have stopped it either.  If any of our customers are considering leaving our services based on this issue, then we would recommend highly that you request a detailed report for how any new potential DNS provider would deal with an attack of this magnitude.  Please note that this was our first issue of downtime over our 8+ years of providing enterprise managed DNS services.


10) What is the next step?
At this time all DNS resolution is functioning as intended from all of our global locations.
In our 8+ year history, we have had numerous attacks against our services.  Historically we have been able to mitigate these attacks without any service degradation. One thing we have always taken away from every attack is a deeper understanding of what we need to do to make our network and services stronger and more reliable.
This DDoS attack against us was different from others in that the size was massive enough that our standard mitigation strategies were not sufficient to prevent several network nodes from being flooded.  We now have a deeper understanding of what happened during the attack and have started planning network upgrades and mitigation strategies to help fight these criminals in the future.  It is, and always has been, our commitment to make the DNS Made Easy network the strongest and most reliable DNS network in the world.


11) Can I pay more for a higher level of service with DNS Made Easy?
We believe that we provide more service per dollar than any competitor in the DNS industry.  This is why we have the best ROI in the industry.  We do not do this by cutting networking cost.   As many of you aware DNS Made Easy feels we can cut costs by eliminating a lot of the sales (including commissions), presales, and unnecessary marketing expenditures.
Everyone at DNS Made Easy feels that our network is as strong as or stronger than any competitor in the United States and Europe and you can verify this with speed tests and our highest industry uptime.   As all DNS Made Easy customers know, as our customer base grows, so does our network.  This is how we can continually keep adding to our network and always remain a fraction of the price of our competition.
You will hear more from our network team as we plan on adding additional precautions to keep everything running smoothly during attacks in the future.


One thing that I want to say is that we sincerely apologize that this happened to your DNS service.  We understand that hundreds of thousands of domains rely on our DNS services each day to keep their businesses running smoothly.  This is not something that we treat lightly and this is not something that we are going to just let slip away.  We have already started to plan on building a network to focus on preventing attacks like this from causing any service disruption in the future.
Everyone here at DNS Made Easy would like to thank you for your continued loyalty and kind words during this time.  We can easily say the DNS Made Easy customers are the best in the business.

Question, comments, concerns?

Please let us know.  I personally will be answering as many tickets and questions as possible in the following weeks.  Our full DNS Made Easy staff is dedicated to answering your questions and easing any concerns that you have.

Regards,
-Steven Job
President and Founder of DNS Made Easy

Etisbew is a outsourcing/offshoring firm.They state: "Etisbew Technology Group, a global software solutions provider headquartered in Kentucky, USA having state of the art offshore development center in India provides high quality and cost effective solutions. We have built an impeccable reputation for providing professional software solutions that are delivered on time and within budgets." They go on to state: "We also have team of professionals who are specially trained and certified in ISO Quality Management Standards and successfully participated in our Internal Auditings under the leadership of NQA Certified Lead Auditors. We do have an Internal Auditor Certified Project Managers." and "All our methodologies conform to these standards and we ensure the stringent testing process for delivering the best output to our clients."

They have a special section of their site dedicated to ColdFusion. http://cf.etisbew.com/home.cfm?file=index.htm

Can anyone see a problem? Yes, if you change index.htm to index.html in the URL, you get a nice CF error.

Would you trust your ColdFusion code to such a firm? An ISO 9001 certification is worthless if you can't do the basics. This is of course excluding the fact that they still show the old CF logo and list CF8 on there. Sigh. When will these firms "get it"?

As you guys may or may not know, there has been a lot of improvment in the web sphere in terms of performance tweaking and security. A lot of people have realized that its just not to good to have your web server be a first point of contact (after the firewall). That's right. Your web server should NOT be serving the web. Sounds counter intuitive, right?

Well, allow me to explain. Web servers like IIS and Apache, as an example, have gotten too heavy and cumbersome. Ok, well – some of you guys are hard core fans of both servers. But they don't scale very well. That is why you see people moving to lighter weight web servers like Resin (and many others), or so specially built high performance web servers like Lighttpd. 

What's needed is a server that can do a couple thing:

• Handle traffic issues like the infamous C10K problem.
• Reverse Proxy to my actual web server (or cluster). It should be the only thing touching my web server.
• Work under minimal resources. I don't want to spend $$$.
  

In fact, here is the official description: "Nginx is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Written by Igor Sysoev in 2005, Nginx now hosts nearly 6% (13M) of all domains worldwide. Nginx is known for its high performance, stability, rich feature set, simple configuration, and low resource consumption. Nginx is one of a handful of servers written to address the C10K problem. Unlike traditional servers, Nginx doesn't rely on threads to handle requests. Instead it uses a much more scalable event-driven (asynchronous) architecture. This architecture uses small, but most importantly, predictable amounts of memory under load. Even if you don't expect to handle thousands of simultaneous requests, you can still benefit from Nginx's high-performance and small memory footprint. Nginx scales in all directions: from the smallest VPS all the way up to clusters of servers. Nginx powers several high-visibility sites, such as WordPress, Hulu, Github, Ohloh, SourceForge and TorrentReactor."

This solves a couple issues. One being that your web server isn't directly hit by outside traffic. Traffic goes from the firewall to this server, which can then do a couple things. It can scruitinize the request, do re-writing, caching, handle sending files, block bad requests, etc. All those things you didn't want your primary web server to do!

That's where NGINX comes in. NGINX currently handles 6% of all sites on the net. Its the web server you never heard of, and you better get to know. People building high performance sites in Ruby on Rails have started to use NGINX to boost perfomance. For more details, see http://www.modrails.com/. Yes, they are overcoming those infamous RoR hurdles with free and easy solutions! So should you!

There are a couple of things you need to know.

1. One, if you are running Windows, NGINX doesn't explicitly support Windows services. But fear no more, the first and only resource for setting up NGINX on Windows as a service comes from a fellow CF developer! And it works like a charm. Read more @ http://misterdai.wordpress.com/2009/10/16/nginx-windows-service/.
   
2. Second, NGINX runs a site like Wordpress. That's right, check the Wordpress.com HTTP Response Headers. Or see this site! That's right, my blog! If you need to sell making this change to management, then that should get you started on the right foot.
3. NGINX was developed originally for some Russian sites, and most documentation is in Russian. However, there is a new Wiki with tons of docs and an active forum in English. NGINX is being actively developed. More info @ http://wiki.nginx.org/Main.
4. For some more details on using NGINX with ColdFusion, see this blog post @ http://coldfusion.tcs.de/nginx-and-coldfusion-using-nginx-as-a-reverse-proxy-for-more-performance.

Basically, my job is to get your minds whirling again. No ColdFusion is NOT dead, its just we as a community need to step up and take it to the next level. Imagine is MySpace has been built with ColdFusion, and instead if adding servers upon servers and including .NET, they had this option? Do you currently have load issues? What can NGINX do for you?

For more details go to:

• http://nginx.net/
• http://wiki.nginx.org/Main

People have been using NGINX in front of their mail servers (like Exchange), and for all sorts of other purposes. I'm investigating NGINX, Varnish, and other Web Application Firewalls to formulate what could become an awesome front-end for ColdFusion!

I've been using the folks at kickassvps.com for a while now. However, I found that my VPS was unreliable at times, and my blog would regularly go down.

Last night I logged in to discover that mysterious software was installed on my server. I've been hacked! The problem with the VPS, as is common in virtualization, is that companies tend to neglect patching these systems.

I tried to use the live support feature on the host's website, didn't work! I opened a ticket, and got a response when I woke up the next morning, asking me questions on what to do!

Ummm… so I've made the decision to move my blog to another provider. Any recommendations? I'm running Windows 2003 w/ CF8.

Those who know me know that I don't particularly care for Gartner. This is one of the few times they got it right.

Favorite quote: "ColdFusion provides a potential wrapper around the complexity of Java, providing Web developers access to the power of the Java platform via the productivity of a fourth-generation language (4GL)."

Read more @ http://www.webbschofield.com/index.cfm/2009/5/14/Analysts-at-Gartner-Praise-CF.