StormPay has been mentioned in recent news stories after it froze the payment processing account of 12daily-Pro.com, a controversial service that pays users to view Internet ads. 12daily-pro.com is under investigation by the FBI and SEC, according to a front-page story in today’s Wall Street Journal (subscription site). Many web hosting companies use Stormpay to process payments for recurring services, and its outages have been widely discussed this week on web hosting forums.
Prolexic’s proxy-based defenses were effective against the attack, Lyon said. But the situation grew more complicated at midweek when the attack was expanded to StormPay’s hosting providers. The stormpay.com site remained offline as Prolexic developed a defense strategy that could get StormPayback online while protecting the other providers’ operations and customers. Lyon said the attacks were unusually persistent. “I haven’t seen this kind of aggression in quite a while,” he said.
In a DNS amplification DDoS, attackers use a botnet to send a large volume of requests to DNS servers, spoofing the target’s URL as the “from” address on the request. Instead of responding to the machines in the botnet, the DNS servers send responses to the target, in this case stormpay.com. Because nameserver responses can be significantly larger than DNS requests, the attack can be amplified.
In a December advisory (PDF), the U.S cyberdefense agency US-CERT warned of an increase in DNS amplification attacks – also known as DNS recursion attacks. “These attacks are troublesome because all systems communicating over the internet need to allow DNS traffic,” said US-CERT. “An organization could be used as a DNS recursion amplifier if its DNS server is misconfigured.”