Yesterday I said I had my doubts that the Twitter situation was a DNS attack because a lot more sites than Twitter would have gone offline. (comment was posted at Byron Acohido's blog.) DNS is like that. DNS servers serve up the IP addresses of LOTS of sites from a single server, not just one.
So, I did a DIG against twitter.com and found out that it was hosted by DYNECT (DYNDNS). Tom Daly of DynDNS and I have conversed in the past, and he had written to us at Secure64 that they weren't under attack. He even posted some comments about it http://dynamicnetworkservices.com/journal/AboutDDoSAttacks.
I can't agree more that people seem to confuse DNS attacks with DDoS attacks in the press. Probably because that letter "N" looks so much like that letter "o". Or not.
So it will probably still be awhile before we get some real data from twitter about what really happened.
On a related subject: There's been some comments on CircleID about how unlikely it is that this was a political DDoS attack against one person.
I think you should probably learn a bit about how the DNS works before opining on the topic - for example, a DNS server can be authoritative for a single domain, and could have only a single A/PTR record exposed publicly. Split-horizon DNS like this with only a single record publicly exposed would make sense for a service like Twitter, given that www.twitter.com is all that folks use.
Of course, a few minutes spent with dig can prove or disprove this. But your statement that if there were a DNS-based component to the Twitter DDoS that one would observe lots of collateral damage is simply incorrect, it's highly situationally-specific.
Posted by: Roland Dobbins | August 11, 2009 at 11:24 PM
Nice Article.....
Posted by: DNS Lookup | December 04, 2009 at 02:12 AM