DDOS Attack Post Analysis and Introspection

There is a saying, “hindsight is 20/20″. We experience that quite a bit here at Name.com. We do a bit of armchair quarterbacking from time to time as well. Analogies aside though, we do our best to reflect and learn from any situation where it makes sense to do so. Such is the case with the recent DDOS attack that we experienced. It can be a double-edged sword to be transparent about things, but transparency is something we value a lot at our little company. It’s an important trait that we’ve learned to value as individuals as well. So when an entity attacked us with a massive DDOS attack, attempted to extort us, and continued to attack us due to not giving into the extortion, we decided to open up and let our customers know exactly what transpired. Even so, there seems to be quite a bit of misunderstanding and confusion about what really happened and how we handled the situation. We hope to clear the air through this post. We’re listening.

When a DDOS attack begins, there are a series of events that immediately start to happen. First, our system administrators and other individuals are alerted so that they can begin to deal with the situation. Their first priority is to figure out exactly what it is that is going on so that they know how to proceed. Each attack is usually different in both technique and in what is being attacked. Their second priority is to do whatever it takes to keep both our customer’s and our domain names alive and responding.

DDOS attacks are part of the landscape that we deal with everyday. Most attacks are mitigated quickly without any disruption.  The risk of us requesting you to transfer your domain name due to a DDOS attack is incredibly slim – it’s happened once in our 9 year history. The scale of this attack was on a whole other level. Our infrastructure is redundant, distributed, and hosted with some of the highest end service providers that exist. All DDOS attacks are, however, not created equal. To put the size of last week’s attack in perspective for you, it was massive enough that our rather substantial upstream providers commented on its enormity as they were working with us on mitigation techniques during the time of the attack. This DDOS attack was the largest we’ve ever seen. It was a massive flood of traffic from subnets located in China specifically designed to take down our website and name servers by using more bandwidth than our network could handle. Our upstream service provider’s networks were close to being saturated. That’s a lot of packets! So many packets that information stops flowing on parts of the Internet. Overall, our DDOS mitigation techniques worked well and customer’s websites were not affected. In reflecting on our response to this incident, that’s something we’re proud of. However, our homepage and the ability for users to login and manage their domains was severely hindered.

When we received the demand to take down the domain name boxun.com and hand it over to the attackers we were also knee deep in dealing with the attack. When putting out a fire it’s never easy to think 100% clearly about what you should do versus what you need to do in order to make it out alive. Again, the number one priority was to keep our customers’ 1.5 million domain names functional, manageable, and accessible. Before taking any action regarding the domain we first contacted the registrant to notify him of the situation and to inform him of our plan of action.

Given all the balls in the air (or the packets in the pipe), at this point all we knew was that it was a Chinese site registered with us. In hindsight we realized that like all individuals, each domain is unique and therefore each attack requires a specific response.  Boxun.com contains important information that is pertinent to our times. This DDOS attack both reawakened and reinforced our understanding that free speech and basic human rights can still be squelched with force, even if that force feels abstract. We did not dig deep enough, early enough, to discover the type of content this domain contained. Our actions may not have changed, but we certainly feel this was an oversight on our part.

Rather than handing the domain over to the attackers, which we never considered, we felt the best course of action was to ask the registrant to move boxun.com to another registrar. We’d like to note that the domain was not using our name servers nor our hosting services.  Name.com was simply the registrar for the domain. The attackers targeted our infrastructure as a way of trying to get us to hand the domain over to them.

We’ve kicked around and discussed many of the hard questions internally. If we had known the content of the domain initially would we have taken a different stand? If so, for how long? Does it make sense to put this domain above others? If many or all of our customers were affected by this, what would have been their response? We don’t think there is a straightforward answer.

The most important thing to consider here is how we do things moving forward. We value the freedom to communicate opinions and ideas. We sincerely wish the best for boxun.com and hope that one day soon everyone’s voice can be heard without the threat of being silenced. We feel the best thing we can do is be honest and continue to be transparent.

Sincerely, the Name.com team: Bill Mushkin, Bo Bergstrom, Paul Carter, Owen Borseth, Dave McBreen, Ashley Forker, Jared Ewy, Patrick Moroney, Patrick Ramsey, Henrik Kronstrom, Chani Elmont, Shannon Mitchell, Shannon Brown, Melissa Dafni, Scott McBreen, Scott Barstow, Sherri Botterbusch, Sky Diegel, Chris Gaston, Erika Flores, Jeremiah Stanley, Ryan Kneer, John Rupp, Cedar Diegel, Caroline Temple, Nic Steinbach.

Get the latest discounts delivered straight to your inbox.

  • http://www.facebook.com/dannypryor Daniel Thomas Pryor

    Thank you for your candor, and thank you for bringing to light what represents, to me, a very real threat to our IP infrastructure in the US and elsewhere. We’ve been through the days of amazingly virulent computer viruses, and now the DDoS appears to be taking shape (perhaps already has taken shape) as the electronic attack of choice. The fact this has happened to many companies other than Name.com, including hacks at Sony, Google, Network Solutions, among others, demonstrates a boldness that should underscore the gravity of this situation. Its persistence shan’t relent, I fear.

    Our need to address these kinds of attacks, collectively, becomes more apparent given the nature of this particular assault, which is clearly political bullying on the part of one nation directed at another. I won’t mince words about this. We, as a nation, were attacked. Name.com was just the target of this specific missile.

    That being said, your efforts are to be lauded. Pray this unfortunate scenario may lead to a greater cooperation between registrars, hosting companies, bandwidth providers, data centers and the like. Our economic freedom and political freedom demand it.

  • http://www.facebook.com/anjan.bhushan Anjan Bhushan

    Probably you may want to augment your infrastructure at the level of 1and1 where the domain was moved.Lesson learned, I am a loyal customer of name.com and with you in your decision,

  • http://cookinggames.ca ARIYAS

    Did you guys alert the authorities about this?

    • http://davezan.com/ Dave Zan

      Just so others know, sometimes the authorities actually request the registrar or hosting provider not to reveal details of an on-going legal investigation after being informed of it. So while the registrar would loooooooooooove to provide more information that some people (even non-customers) demand, unfortunately they’re restrained by legal authorities’ request for such.

      Obviously that sounds ridiculous, and it is. OTOH, legal authorities don’t want any hint whatsoever known of what they’re doing or about to do while investigating a delicate yet drastic issue like this.

      Finally, I guarantee you that this can happen with any registrar, and that any registrar can also do the same IF they’re virtually forced to with no other workable options. It’s indeed an unacceptable shame, but this is one of the risks they face every other day.

      I wish everyone else well. Take care of yourself, your loved ones, and your domain names.

      • http://cookinggames.ca ARIYAS

        I don’t need to provide proof that I am a Name.com customer. I asked name.com for answer and not you. so TROLL go back and hide under your bridge.

        • http://davezan.com/ Dave Zan

          Heh, you realize I don’t have to do anything for you. And I never said anything about you being a Name.com customer or not.

          If you doubt what I replied above, though, just search around online. You’ll find similar examples of people or companies told to clam up after reporting an issue to law enforcement, and can only reveal more after being given the go-signal.

        • rdgatl07

          who is the TROLL, TROLL lol…

  • http://www.geekgirlsonline.com Athena Hollow

    I was totally with you guys until your font-family: cursive showed up at Comic Sans on my end *cries* My poor designer eyes!


    Seriously, though. You guys did great. I can’t say I would have done any different, even knowing what was on the site. Had it actually been *hosted* on your servers, that’s one thing; but just being a domain bought through you — and there being little work with transferring domains — it was in the best interest of all of your customers, and yourselves, to not try and keep the domain on your registrar list.

    And what is killing me is that the aforementioned domain is even blocked inside of China, so why did they even bother with it?

    • oborseth

      The official Name.com font selector has been taken out back and beaten. Not really. Ok yes, really. Also, Comic Sans isn’t all bad: http://www.mcsweeneys.net/articles/im-comic-sans-asshole

  • http://www.zatznotfunny.com Dave Zatz

    Maybe transparency isn’t the best policy. Was intending to move some of my domains this AM and came across this blog post from your Twitter feed while doing my research. I read it as your infrastructure and response isn’t yet sufficient and that you may not have your customer’s backs. :/ Good luck.

    • oborseth

      Sorry to hear that. Companies hide and sweep things under the rug all the time, Name.com prefers not to do so. Keep in mind that bigger fish than us succumb to DDOS attacks. The difference is that we feel open communication around these kinds of things is a better policy than denial. You’re right though, transparency isn’t for everyone. 

    • http://davezan.com/ Dave Zan

      What’s rather unique about this attack is it had a definite reason: targeting a customer’s domain name. Check online and you’d see it’s happened also to bigger registrars like Go Daddy and Network Solutions where their customers were affected, yet there was no definite reason other than simply cause mayhem.

      I’m sorry to “hear” you feel transparency isn’t the best policy. To think that the truth (supposedly) sets one free, even though it hurts.

      OTOH, maybe you and Name.com won’t indeed be a good fit. Good luck to you as well.