Web host and domain reseller, Netregistry, had to fend off a distributed denial-of-service (DDoS) attack this morning, thwarting the main attack in just over an hour, although it still doesn't know which one of its customers may have been the intended target.
The attack started at 10:30am (AEST) this morning, affecting customers using shared and virtual private server hosting, but not its own website.
Shortly after at 10:43am, the company had to place a hard limit on the number of calls it could accept through its phone system, tweeting that the system had been overloaded.
A few minutes later at 10:50am, the company confirmed that it was experiencing a DDoS attack on its network. It began to re-divert its network bandwidth and work with upstream provider Telstra to stem the flow of traffic, which it said was coming in waves. Netregistry chief operating officer Brett Fenton said that the link to Telstra is capable of serving between 250 and 300Mbps, but that the attack had caused the link to be completely saturated.
It began to restore its connectivity across all its services from 11:10am and by 11:37am had restored all but one service. Websites on one of its shared hosting clusters were still experiencing intermittent outages.
Fenton said that Netregistry wasn't the intended target, but rather one of its hosting customers. Netregistry has had to thwart a similar DDoS attack last year when customer AFACT was targeted by Anonymous in Operation Payback, according to Fenton. He said it would be difficult to determine who, or what was the attacker's intended target.
Fenton said that while no data was lost, about 100,000 customers were likely to have been affected by the disruption. Of those, about 50,000 to 70,000 would be hosted websites.
Following further attacks yesterday, Netregistry blocked traffic from Telstra customers in order to allow other services on one of its web clusters to be kept online. The cluster in question was the same one that was experiencing intermittent outages yesterday after the main attack was stemmed.
On its site, the company said the block meant that clients accessing websites via the Optus/Pipe connection would be able to access their services, but Telstra network traffic would not get through.
Telstra customers were eventually unblocked between 6pm and 7pm yesterday evening.
Users on the Whirlpool discussion forum speculated that the disruption might have been a repeat of Anonymous' attack on Australian Federation Against Copyright Theft, which was conducted about this time last year.
"That's purely speculation. If I had that information, I'd be more than happy to share it to indicate what the site is, but at this moment we just don't know yet," Fenton said.
"The issue is that most of the traffic was IP based as opposed to a specific domain. That makes it a little bit difficult to really pinpoint it down. Even last year it was made easier because Anonymous claimed responsibility."
Fenton said that at this point no one had claimed responsibility for the attack and the company would be concentrating on moving forward and resume operations.
"We understand that customers have [been] very adversely affected and it's been obviously detrimental to their business as well. Customers who have had significant hardship are being looked at on a case-by-case basis."
Updated at 10:15am, 27 September 2011: added later details of the DDoS attacks.