A recent DDoS attack against Cedexis, a French service provider, caused many prominent French newspapers, including Le Monde, Le Figaro, L’Equipe, Le Nouvel Observateur, all hosted on Cedexis network, to briefly shut down yesterday, May 10. Other web services built on Cedexis network has been affected as well.
On its blog, Cedexis has stated today that “an unknown individual or group launched a sophisticated Distributed Denial of Service (DDoS) attack on Cedexis”.
We believe that a data analysis we conducted here at Nominum Data Science uncovers the mystery behind this attack.
Starting 11:13 UTC yesterday, we’ve observed that 2-01-4bbf-019b.cdx[.]cedexis[.]net, a subdomain of cedexis network, was hit by a PRSD attack. The attack pattern was specifically identified as a PRSD-A type attack, which is known to be originated from a particular cybercriminal group.
Generally speaking, a PRSD attack creates a constant flow of meaningless traffic between DNS resolvers and authoritative servers by randomizing (or pseudo-randomizing) subdomains of the target domain (which always require an authoritative response), until it exhausts the servers’ resources and causes them to crash.
The graph above describes the volume of queries to the Cedexis subdomain per 10 minute blocks. Over the 4 hours of the attack we’ve seen a rate of nearly 10M million queries per 10 minutes; Since we analyzed roughly 3% of the global DNS traffic, multiplying this number by 33 gives us an estimate of 330M random subdomains per 10 min, which equals to 550k QPS (Queries per Second), all just for random subdomains.
That’s a rate that will cause DNS servers to fail. And it would make resources reached through them unavailable.
It is not clear yet if the attack on Cedexis was specifically designed to attack French press (we would probably expect such an attack to happen before the French elections), or was there a deeper reason behind it. In any case, we believe that the Cedexis attack wasn’t the end of the story. Today we observed another similar attack, with the same attack signature, against two CDN subdomains – aka-poc-vcai[.]edgesuite[.]net and poc-vc2.com[.]cdnga[.]net. Perhaps there is some correlation here, or maybe the same cyber gang was hired to attack a new target.
In any case, these types of PRSD attacks can be stopped (once detected) by using blocking or rate-limiting at the DNS level, something that we already do in our Vantio CacheServe. For more on that, please visit http://www.nominum.com/product/caching-dns/.