“AT&T DDoS Defense,” says the company to its potential customers, is “an optional feature to the AT&T Internet Protect malware-monitoring service, uses powerful, specialized devices running sophisticated algorithms to identify attacks headed toward your network. We can mitigate them before they reach your network to keep your critical infrastructure running.”
Unfortunately it didn’t use it to protect its own network – or more specifically, its DNS servers. On Wednesday morning, West Coast time, 16th August, AT&T was hit by a DDoS attack against two of its DNS locations from an unknown source. The company has so far given little details on the attack, merely acknowledging it on a service status page.
"Due to a distributed denial of service attack attempting to flood our Domain Name System servers in two locations,” it said, “some AT&T business customers are experiencing intermittent disruptions in service. Restoration efforts are underway and we apologize for any inconvenience to our customers. Our highest level of technical support personnel have been engaged and are working to mitigate the issue.”
The DNS servers translate web access attempts from the usable ‘www’ names to the destination’s formal IP address. Without this translation service (and assuming the user doesn’t know the IP address), websites cannot be reached. So by attacking the DNS servers, the attackers effectively DDoS’d all of the AT&T customers served by those DNS servers. The issue has now been resolved, company spokesman Mark Siegel told Reuters yesterday.
The attack is known to have lasted at least eight hours, although it is not yet known whether it was mitigated or simply stopped by the attackers. A recent DDoS attack against WikiLeaks was effective for more than a week before being mitigated. While WikiLeaks’ attackers quickly announced themselves, there have, at the time of writing this, been no claims for the AT&T attack.