back to article Trick not treat: 123 Reg down on Halloween, DNS borked by DDoS

Customers of 123 Reg suffered more tricks than treats this morning when a DDoS attack hobbled the registrar's services. Users were confronted by DNS lookup failures until early this afternoon, when 123 Reg said it managed to get the attack "contained" and services restored. Inevitably, the delay provoked customer gripes. .@ …

  1. Locky

    123Reg borked?

    When did El Reg start reporting non-news tech stories.

    Must do better

    1. Swarthy

      Re: 123Reg borked?

      Well, they do still report on Flash updates/vulnerabilities.

      Although they have stopped reporting Adobe Creative Cloud TITSUPs.

  2. Dan 55 Silver badge

    It's Monday

    123reg must be down.

  3. Destroy All Monsters Silver badge

    "asthmatic hamster with heaving shopping"

    ...shadowed by a vulture

    1. Anonymous Coward
      Anonymous Coward

      Re: "asthmatic hamster with heaving shopping"

      It wasn't an asthmatic hamster it was a gerbil with a slight cough, easy mistake though.

  4. No Quarter


    So was it the Internet fridges or the doorbells that did it this time?

    1. Mark 85

      Re: Fridges

      Rumor has it that the lightbulbs and toasters joined forces.

  5. Voland's right hand Silver badge

    Nothing 21st century about it

    The 20th century version used to be called smurf.

    I "fondly" remember how 1d10tz used to resolve disagreements on IRC by knocking each other out with that. Some academic class B networks used to offer up to 20000 times amplification factors over OC3s. Facing the result in an average ISP was like trying to stop the Niagara falls with basic plumbing tools.

    This is just more of the same - what goes around, comes around. We are now back to the point where an average script k1dd10t can knock nearly any service provider off the Internet. This is not new - we were there before in 1997-2000. We were there ~ 5+ years ago at the beginning of DNS amplification attacks. We will be there again later. It is the nature of the beast, pretending that what is happening is something that never happened before is simply disingenuous.

    1. Dabooka

      Re: Nothing 21st century about it

      Who's pretending it hasn't happened before, did I miss something?

      1. Destroy All Monsters Silver badge

        Re: Nothing 21st century about it

        Yeah but now it's all in JavaScript pretending to a kernel doing asynchronous I/O, so we have moved up the ladder of absurdity.

  6. wyatt

    Out of interest, how do you contain a DDoS attack?

    1. Locky

      Asking for a *cough* friend?

      1. wyatt

        My (Cough cough cough splutter) friend is very interested..!

    2. No Quarter

      Don't put it on the Internet. That'll stop it dead.

      1. NonSSL-Login

        Already IoT devices are looking to join Skynet...I mean Meshnet's, so that even without the internet they can communicate and bring down baby monitors that coughed at them the wrong way.

        SeriousLee though, meshnets for smart home devices appears to be the next big thing.

  7. Anonymous Coward
    Anonymous Coward

    to heck with 123Reg

    A better question is why was it so hard to join Battlefield 1 Operations most of the weekend.

  8. cyrus

    Our team mobilised immediately...

    "...and managed to contain the attack"

    I sense a massive amount of surprise in this statement.

  9. ForthIsNotDead


    I know nothing about ISPs so this is a genuine (probably naïve) question:

    Don't ISPs analyse their traffic in some way? I mean, is there not some analytics that goes "Hmmm this IP address is suddenly sending a metric fuck-ton of pings/http gets/DNS lookups per minute, which is not regular for this user. Looks like he's (probably unwittingly) contributing to a DDoS. Cut him off until he phones us"?

    Or is that illegal or something because it would mean inspecting the users data? If that's the case, just get GCHQ to do it.

    1. Will Godfrey Silver badge

      Re: Really?

      The problem is that each individual device isn't sending a lot of traffic. It's just that there a lot of them. Also they do underhand things like pretending to be their victim and asking for (say) and entire dns thngy

    2. kain preacher

      Re: Really?

      the can but the chose not to.

      Just one example.

      fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc).

      Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

      1. Anonymous Coward
        Anonymous Coward

        Re: Really?

        Thanks I needed a good laugh to cheer me up, good luck using fail2ban to stop a DDOS attack.

        1. Spiz

          Re: Really?

          And whilst I would probably agree with you based on my limited knowledge of fail2ban, instead of being AC and also a condescending twat, would you like to point out some helpful information about the subject for the rest of us not blessed with your clearly god-like wisdom?

    3. Anonymous Coward
      Anonymous Coward

      Re: Really?

      A couple problems with that approach:

      * if the user was simply uploading something huge (maybe a first time backup of Google photos or something) you'd trip the cutoff.

      * the issue isn't one or two endpoints moving a metric fuck-ton of data, it's a metric fuck-ton of endpoints sending a moderate amount of data.

    4. Anonymous Coward
      Anonymous Coward

      Re: Really?

      You can analyse the traffic as much as you want, but if the sheer volume of traffic overwhelms the analytic capacity of your firewall or the backplane capacity of a switch or router anywhere in the path of the traffic you are hosed.

      You either need to increase the capacity at the perimeter of your network or play nicely with upstream providers to limit the traffic hitting your network. The problem with this is that however much capacity you put in, skiddies with access to botnets of compromised PCs or millions of shitty IoT devices can probably exceed it.

  10. Tatsky

    Why complain at 123-reg

    If you want to mitigate an issue with your DNS provider going titsup, then setup a secondary DNS with another supplier. ns.123-reg and ns2.123-reg may have borked, but you could have ns3 and ns4 with a different provider, in a different geolocation.

    It's all well and good using a provider, but you still need to take responsibility for your own "setup" and put in place some redundancy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like