ISC Diary

Refresh Latest Diaries

Handler on Duty:
Adrien de Beaupre
Contact Us

Godaddy DDoS Attack

Published: 2012-09-10,
Last Updated: 2012-09-10 21:39:54 UTC
by Johannes Ullrich (Version: 2)

Update: GoDaddy appears to make some progress getting services back online. The web site is responding again. DNS queries appear to be still timing out and logins into the site fail. (17:30 ET)

GoDaddy is currently experiencing a massive DDoS attack. "Anonymous" was quick to claim responsibility, but at this point, there has be no confirmation from GoDaddy. GoDaddy only stated via twitter: "Status Alert: Hey, all. We're aware of the trouble people are having with our site. We're working on it."

The outage appears to affect the entire range of GoDaddy hosted services, including DNS, Websites and E-Mail. You may experience issues connecting to sites that use these services (for example our DShield.org domain is hosted with GoDaddy).

At this point, I would expect GoDaddy to keep its users up to date via it's twitter feed (http://twitter.com/GoDaddy ). I am not aware of a reachable network status page for GoDaddy.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: hacking internet isc phishing sans security threat virus vulnerability worm

Comments

FYI: This also effects ALL SSL certificate verification from GoDaddy, crippling a good portion of secure web pages at this time. -Al

posted by Al of Your Data Center, Mon Sep 10 2012, 19:53

Why would it? One of the beauties and faults of SSL verification is that when the CRL site is unavailable, the certificate is still accepted. We've got several EV certs with them and they are all still showing a green bar.

I would have expected the green bar to go away but it hasn't.

Do you have an example? Other than www.godaddy.com, of course. :-)

posted by JJ, Mon Sep 10 2012, 20:33

Yes that is true. Unavailable results in acceptance with warnings, but if the site answers slooooooowly and fragments the answer that will fail the lookup for quite some time. It seems GoDaddy is aware of this and prioritized, shut or failed over their SSL chain accept servers. Certificates were not working a short while ago. They are now. I do get validated chains when I test a CERT with OpenSSL so apparently that is now restored at least partially.

posted by Al of Your Data Center, Mon Sep 10 2012, 20:43

I would hope that GoDaddy has already informed the FBI and/or other appropriate authorities.

posted by KBR, Mon Sep 10 2012, 21:27

It looks like godaddy is moving their own domain around to try and get something back up. For a while their NS record was at Verisign, now it's secureserver.net.

posted by Brad C, Mon Sep 10 2012, 22:48

We have our DNS hosted at GoDaddy. It appears to be back up now.

posted by Shawn, Mon Sep 10 2012, 23:24

FYI: GoDaddy's network status page is http://support.godaddy.com/system-alerts/

posted by pogue, Tue Sep 11 2012, 00:35

GoDaddy is back up and all, and thank you guys at the ISC for reporting this. In retrospect, would this have merited raising the Infocon to yellow? Assuming the media reports of "millions of sites" being impacted is true...

posted by Bill, Tue Sep 11 2012, 02:19

was this just a dos attack or likely an attack on the crl/secure cert chain to access who knows what?

posted by nic, Tue Sep 11 2012, 07:13

What did Godaddy do to deserve this? And why disturb all the users?

posted by carol, Tue Sep 11 2012, 12:32

In answer to "Bill" I would say that any time a major Domain/DNS host like GoDaddy is attacked it should go to yellow. The perps may have been few, but the effects were pretty significant for a lot of companies. And it was not just their corporate web sites either; their e-mail to and from the outside world was off-line too.

posted by KBR, Tue Sep 11 2012, 16:55

GoDaddy is claiming it was not DDoS.

posted by RMM, Tue Sep 11 2012, 17:36

According to GoDaddy, it was corrupted network routing tables.

posted by KevinT, Tue Sep 11 2012, 17:47

Here is a comment from GoDaddy.

Yesterday, GoDaddy.com and many of our customers experienced intermittent service outages starting shortly after 10 a.m. PDT. Service was fully restored by 4 p.m. PDT.
The service outage was not caused by external influences. It was not a â��hackâ�� and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented measures to prevent this from occurring again.
At no time was any customer data at risk or were any of our systems compromised.

posted by pwobbe, Tue Sep 11 2012, 17:47

I further validate what pwobble said above.

I also wish to add that AnonymousOwn3r is a liar, and a fool. He earns NO points for his false claims.

posted by HackDefendr.com, Tue Sep 11 2012, 22:49

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives