By Kevin Murphy
12th March 2007
The Go Daddy Group Inc has been hit by a massive distributed denial of
service attack that took down many of its customers' websites and other
services for several hours.
The company, the largest registrar of internet domain names and one of
the largest web hosting providers, said it was the subject of
"large-scale, sophisticated attacks" that lasted four to five hours.
Services hosted at one of the company's data centers suffered sluggish
or zero response times as a result. Its other data centers were
GoDaddy chief information security officer Neil Warner told us that the
attack was a SYN flood that targeted a particular under-protected
service. We have agreed not to name the targeted service, at the request
Other services that are hosted at the targeted data center, including
many customer websites, were also affected.
"This was a little different for us," Warner said. "Usually when we see
a DDoS, somebody's mad at a particular hosting customer... We're
probably always under a DDoS attack of some kind."
The attack started at 6.50am Arizona time but it was clearly not, as
some had speculated earlier in the day, a technical glitch caused by the
unusually early switch to Daylight Savings Time in the US.
It's not beyond the bounds of possibility that the attacker chose
yesterday morning to attack because GoDaddy had been criticized in the
media on Friday for its unclear position on patching its servers to the
new DST schedule.
Under recent US energy legislation, DST, in which the clocks "spring
forward" one hour, was pulled forward to March 11, the second Sunday in
March, rather than the first Sunday in April, which this year is April
GoDaddy is based in Arizona, a state unusual in that it does not observe
the switch to DST.
Warner declined to speculate on the motive for the attack. His team is
poring over packet captures to see if they can determine the source or
Dozens of bloggers and web forum posters complained yesterday that their
websites had gone dark for one or more hours. Some claimed to be losing
money due to the downtime.
According to Warner, the affected service was seeing 70,000 packets per
second at the height of the attack. For comparison, that's about 20,000
more packets per second than the SYN flood that took down The SCO
Group's website in 2003.
Ordinarily, the GoDaddy infrastructure would be able to handle such an
attack, but the attacker appeared to have found a weak spot.
A SYN flood is a well-documented form of DDoS attack that exploits the
three-way handshake involved in setting up a TCP-IP conversation.
In normal TCP-IP handshakes, the computer initiating a connection sends
a SYN, for synchronize, packet. The recipient sends back a SYN-ACK, or
synchronize acknowledgement, to which the sender responds with an ACK,
In a SYN flood attack, the attacker spoofs the IP address of the SYN
packet's source, so that SYN-ACKs are never responded to, and the
victim's resources are tied up managing tens of thousands of bogus
Warner said his security and network teams managed to contain the
problem and put preventative measures in place to mitigate future
Visit the InfoSec News Security Bookstore