Several customers have reported receiving a significant number of “No communication from MAV Agent…” alerts this past weekend.
Unfortunately, the reason for this was that the DNS provider with whom we host the DNS records used by the Managed Antivirus Agent suffered a catastrophic DDoS attack which rendered all of their DNS constellations non-responsive for a period of approx. 1 hour starting around 9pm GMT on Saturday 7th January. The attack was a combination SYN, ICMP and DNS Flood, in excess of 1 Gig/sec across our anycast IPs with packets per second ranging from 500K to 1M across each nameserver. Our provider identified the target domain and delegated this away from their nameservers (at the time of writing, the domain has since cycled through six other DNS providers bringing a DDoS attack with it) and then began remedial action to mitigate the attack. However, while partial service was quickly restored, some disruption remained until 9am GMT on Sunday 8th January.
Our DNS provider reports that “Every single DDoS attack this company has ever faced has been against a target domain which was either: pornography, online gambling or ponzi schemes known as “High Yield Investment Programs (HYIPs). HYIPs have been specifically banned here since 2006 and we have had no further attacks against HYIP sites since enacting the ban (because if we find any on the system, we summarily remove them). As of today, we are enacting a similar ban on pornographic and gambling websites. We have already implemented additional prescreening rules to prevent new domains in those categories from moving here – most DDoS attacks are against a domain added within the previous 72 hours.”
In addition, they are implementing a number of changes to improve the robustness of their infrastructure and have already started the process of preparing a “warm standby” anycast constellation (loaded with all zones but not receiving queries until it was swapped-in during a situation such as this) and are accelerating that process forthwith. Therefore, given their response, the fact that this is only the third “catastrophic impact” condition in their 14 year history (2003, 2005 and now 2012) and notwithstanding the fact that this DDoS attack was also too much to handle for every other DNS Provider who has been saddled with it, we are satisfied that for now the service they provide meets the high expectations that GFI and its customers have. However, we will be monitoring the situation and should the frequency of such events increase, we will of course source an alternative provider.
In the meantime, we would like to apologize for any inconvenience caused as a result of any alerts received.
The GFI MAX Team.