CNET logo Why You Can Trust CNET

Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement

DDoS attack hobbles major sites, including Amazon

More than a mouse was stirring Wednesday night on the Internet, as an attack on a major DNS provider to sites such as Amazon.com and others hobbled service for about an hour.

Tom Krazit Former Staff writer, CNET News
Tom Krazit writes about the ever-expanding world of Google, as the most prominent company on the Internet defends its search juggernaut while expanding into nearly anything it thinks possible. He has previously written about Apple, the traditional PC industry, and chip companies. E-mail Tom.
Tom Krazit
3 min read
People flocked to Google Wednesday evening to figure out what was happening with the UltraDNS service, which suffered a DDoS attack at the height of the last-minute shopping season. Screenshot by Tom Krazit/CNET

An attack directed at the DNS provider for some of the Internet's larger e-commerce companies--including Amazon, Wal-Mart, and Expedia--took several Internet shopping sites offline Wednesday evening, two days before Christmas.

Neustar, the company that provides DNS services under the UltraDNS brand name, confirmed an attack took place Wednesday afternoon, taking out sites or rendering them extremely sluggish for about an hour. A representative who answered the customer support line said the attacks were directed against Neustar facilities in Palo Alto and San Jose, Calif., and Allen Goldberg, vice president of corporate communications for Neustar, confirmed that at about 4:45 p.m. PST, "our alarms went off."

Goldberg said the company received a disproportionately high number of queries coming into the system, and analyzed it as an attack. Neustar deployed "a mitigation response" within minutes of the attack, he said, and brought matters under control within an hour. The response limited the problems to Northern California, he said.

In addition to the high-profile sites, dozens of smaller sites that rely upon Amazon for Web-hosting services were also taken down by the attack. Amazon's S3 and EC2 services were affected by the problems, according to Jeff Barr, Amazon's lead Web Evangelist, who retweeted a report to that effect without clarification and confirmed it in later tweets.

For a brief period Wednesday evening, "ultradns" was the top search term on Google, likely as frantic technicians at Web sites attempted to figure out what was going on with their sites.

Web sites need DNS providers to translate the character-based URLs that people can remember to the IP addresses that Web sites actually use to list themselves on the Internet. When a DNS provider is overwhelmed with malicious requests for IP addresses, the system can overload and prevent legitimate users from reaching their destinations.

Amazon's Web Services Health Dashboard declared an all-clear around 6:40 p.m. PST, saying that DNS resolution had returned to normal. Amazon and several other big sites seemed to recover around 5:40 p.m., but some other sites continued to report problems until around 6 p.m.

Needless to say, the timing of such an outage could not have been much worse, as holiday procrastinators rushed to make sure they could get one-day shipping for gifts to be delivered before Christmas Day on Friday.

Wolf Austad, a CNET reader, wrote in around 5:00 p.m. PST Wednesday to report that a last-minute gift purchase for his wife from Amazon.com had gone awry. He later reported that his transaction was stored in Amazon.com's history once he was able to get back into the site. However, "now I need to explain to my wife why she is getting her gift on the 26th," he wrote in an e-mail.

UltraDNS suffered a similar attack earlier this year, which took out Amazon, Salesforce.com, and other sites. Goldberg described Wednesday's attack as smaller than that one, in that it affected fewer customers.

However, Amazon is no small customer. Goldberg declined to comment on specific customers affected by the outage, and said Neustar had not yet determined the source of the attack.

One expert thought the attack might have been more widespread.

"This was wider than just UltraDNS," said Bill Woodcock, research director at Packet Clearing House, which operates domain name servers and supports Internet exchange points around the globe.

"It's difficult to tell at this point how much is a DDoS attack and how much is collateral damage from the attack that is being felt in other ways," like a domino effect, he said. "There were routing problems at some major European exchanges at the same time that caused major Internet service providers' routers to encounter a higher load and pass fewer packets."

CNET's Elinor Mills contributed to this report.