The Untold Story Of “I Love You”

Reading Time: 26 minutes

The tenth Most Devastating Cyberattack in History.

It was a calm Thursday night in May of 2000. Woodland Hills, CA, a sleepy bedroom community north of Los Angeles, Ca rarely had any sort of excitement.

Braun, an information technology contractor specializing in Linux and Microsoft mail servers had just finishing his dinner and getting ready to turn in for the night, not knowing that the next several days were going to test his abilities like never before.

Around 2am in the morning, Braun received a frantic call from a recruiting agency in Newark, NJ asking if he could help a large corporation with a mail server. The frantic voice on the other end, in desperate tone said the whole network was being destroyed by the minute.

As Braun was trying to gather his thoughts after only a few hours of sleep, the phone rang again. This time from a client, a lawyer who was preparing documents for trail court that day. The frantic voice on that call would sound a lot like the previous call he had just received, only this time, he was told that the computer is eating all of his documents.

Now Braun knew there was a problem, a problem that would throw him into a spiraling tug-of-war between clients and the first call he had received. A call that in the back of his mind, he knew he was going to be awake for the next several days. Braun knew inside, this was not the kind of call that any contractor wanted to get and began to imagine the thousands of panicked phone calls that must have been taking place as he was washing his face to prepare for what was going to be a very big challenge and more than likely the biggest challenge of being a independent contractor.

On the other side of the world, in Pandacan, Philippines, a small oil depot suburb of Manila, a place that Braun knew nothing about, were two college kids finishing their college studies. One had just finished his thesis at the AMA Computer College. As with a lot of small towns in the Philippines in the 2000’s, people were not able to afford this readily available thing we called the internet that seemed like a normal everyday part of our life.

Around 3am, while Braun was driving on the freeway, the hundreds of thousands of thoughts kept racing through his mind of what could it be. Thinking back on the phone call from his lawyer client, what could be eating his documents. It had to be something with the computer. There had to be a hardware malfunction thought Braun, all the while in the back of his mind, he kept telling himself it couldn’t be happening to a major corporation and one of his clients at the same time.

As he was driving up to the gates of this major corporation that he had just been given the address to from the frantic call of the recruiter in NJ, his stomach began to twist into knots. This corporation was not just any corporation, it was Universal Studios. A place where high dollar people worked, where movies were made, movie stars roam the streets and the expectation of immediate gratification were the norm. This was not a normal call and he now knew he needed to call his lawyer client in a hurry to tell him to turn his computer off and not turn it back on till he could get to his office another 30 miles away in downtown Los Angeles, CA.

Bruan’s worst fears were coming to light like a dizzying wormhole that was out of control.

No sooner than he had hung up the phone from calling his lawyer client, the phone began ringing again, this time from another high profile client of the past, they too in a frantic voice would explain that their Novell server was eating all of the files needed to run a very predominate radio station serving the entire Los Angeles and Orange counties area, a stretch of land that encompassed over a 100 square miles.

For the next several hours into the morning business day as the cities surrounding Woodland Hills awoke to begin their day from home by checking their email, the phone continued to relentlessly ring, one-by-one all telling him that they couldn’t get their email and that their computers were crashing and documents and other files were missing. Those that had made it into their offices were calling with what now seemed like a familiar message, their computers and servers were eating files at an uncontrollable rate.

After Braun had been given his security clearance to enter Universal Studios, he met the information technology manager. A very big, buff ex drill Sargent from the Army. Bill too had the look of “what the hell is happening!” in his eyes as you could see that he too was yanked out of bed at an unholy hour. With him, a first year college student that looked like he had just been pulled out from the bar down the street and not in much condition to be able to process the severity of what was to come.

As Bruan and the IT manager Bill began pouring through the countless hundreds-of-thousands of entries in log files from several servers – from the ones that were still running – in a server room the size of a small city, one thing kept standing out. Email. There was what seemed like an abnormal amount of email that was being sent by the vise president and his assistants at an hour when a city of almost 12 million people would be sleeping.

This just didn’t make sense to either of them as what would the vise president of Universal Studios be doing sending thousands of emails at 1-3am in the morning. Braun had ask if Bill could call one of the vise president’s assistants or the vise president himself in an attempt to find out, but soon remembered, he was at a place where 10,000 high dollar people called home and would soon be lined up, pounding on the door demanding to know why they couldn’t get their email and why were their files missing.

This is much bigger than what Braun was used to working with as most of his clients were doctors and lawyers where 25-100 people would work the normal 9-5 day.

It’s now 4:45am. There are now millions of people making their way through an almost never ending stand-still of traffic that stretches as far as the eye can see on any given day. Braun knew that in the moments to come, there was not going to be a single phone in either Los Angeles or Orange county that would not be ringing off the hook, asking “where’s my emails and why are my documents gone!?”.

No sooner than those thoughts had crossed his mind, did Bill receive a phone call from AT&T at One Wilshire. A multi story behemoth building that housed thousands of servers on almost every floor serving most of all the phone and data services for Los Angeles’s downtown skyscraper district.

Twenty-Five of their engineers had been woken up in the early hours to be told that the world was crashing around them. They had called to find out if the DS1 digital phone lines that ran between Universal Studios and the Natural History Museum in Los Angeles were working. Something that neither Braun or Bill would have thought to check. As it turned out, they were not working either, causing a firestorm of very early morning phone calls to the engineers at AT&T.

During that phone call, it would be discovered that not only were the two DS1 phone lines that ran between Universal Studios and the Natural History Museum not working, but that the vast majority of the phone lines in downtown Los Angeles were not working either.

At a time in history where millions of people around the world relied on dial-up internet services from AOL , AT&T, Earthlink and a handful of other smaller dial-up service providers, it seemed incomprehensible that a high dollar DS1 or T1 subscriber line would not be working. If you were fortune enough to have such a service, you would have all but forgotten what it would be like to not consistently be connected at any one point in time.

As Bruan and Bill continued to answer the absolute barrage of phone calls while attempting to find out the cause of what was causing all of these email and file servers to disintegrate before their eyes and against the wishes of Bill, Braun had unplugged the network cables from several of the servers, but the rapid destruction was not slowing down. Bill would later discover that disconnecting those servers saved several hundred million dollar contracts that were stored in emails.

It was also discovered that almost everyone in any kind of management position at Universal Studios were storing their most precious high value contract documents in emails and not on the file servers. A policy that would be later changed and implemented with force as the backup tapes did not contain any of the documents that needed to be recovered in a big hurry. When ask why they were doing this, the reply most heard was “we were afraid we wouldn’t remember where the documents were”.

In light of Braun rushing to unplug the network cables from the cluster of mail servers, he was able to retrieve a single hive file where a copy of all the ten’s of thousands of emails were stored.

Getting a desktop computer from Bill, Braun installed a copy of the Microsoft operating system they were using along with a copy of the mail server software that was being used while making dozens of phone calls to all of his clients telling them to turn off and unplug their mail servers completely.

The process of digging into a hive file and subsequently rebuilding the index inside of the hive was a task that was almost unheard of, a taboo word that represented a catastrophe of epic proportion, a word that meant the mail server was going to be down for at least one day.

At a time where email had become of age along with AOL’s instant messenger, the two were very heavily relied on for communications. Unfortunately for most of the southern California area, most of AOL’s content was off line as well as it’s messenger service not functioning at all, adding to an already building hysteric apocalyptic population of Los Angeles.

As the hours ticked on, a single desktop computer sat in the corner of the server room, making almost non-existent progress, churning away at rebuilding a hive file that was already within a couple hundred megabytes of the 1.5 gigabyte maximum that a hive file could be at the time. Braun and Bill both in panic about this desktop that didn’t have any where near enough processing power or memory to handle a task that was only meant to be done on a large multiprocessor server.

It was now 2:30 in the afternoon and it was now apparent that the counties of Los Angeles and Orange would be at a stand-still, millions of people sitting at their desk with thousand mile stares in their eyes, completely lost, not knowing what to do or how to do it. A few million would be sent home at noon while the other few million comprised of all network and software engineers that would be spending the next several days sleeping on server room floors or wherever they could find a spot to get two or three hours of sleep before continuing on to the next phase of clean up. As for Braun, he would find himself waking up on the floor of a sportscaster’s sound room at the radio station that had called early on in the morning that was located a few blocks away.

The traffic was heavy that day as was not only all of the people that were sent home trying to make their way home, an amry the size of which was never seen of off-site tape backup storage company vans were also in a panic trying to make their way around the cites with tens of thousands of backup tapes in each of their vehicles.

While the single desktop sitting in the corner of server room at Universal Studios was grunting it’s way through the rebuilding of a single hive that had been recovered, Bill now had a mob of people standing at his door, repeating himself over and over about what was being done to recover from what seemed like a forever time warp of endless hours of no email or documents, Braun made his way to the radio station that too was collapsing in what looked like one of many nuclear bombs had been dropped within the area.

A lone network engineer sat in a small make shift server room fumbling with wires and a mountain of books. Not having been trained in computer sciences, only given the title of network engineer and stuffed into a closet. He was at a complete loss of what to do. There sat the three servers that ran the entire radio station.

Not heeding to the direction given during the phone call that Braun had received early that morning to unplug the network cables and shutdown the servers, almost all of the documents on the file server were destroyed, the mail server not being in much better condition, the only saving grace for the radio station was a single network appliance that had missed the memo about needing to be infected.

As with Universal, Braun had discovered that the same kind of worm that had caused so much devastation at Universal Studios, was also to blame for the devastation at the radio station. As with Universal, a rebuild of the mail server hive was needed, but unlike Universal, this hive was very damaged and there wasn’t a spare desktop computer laying around. One had to be ordered, which in it’s self turned out to be a major challenge as almost all of the computer stores in the area were completely sold out of pre-built computers, hard drives and associated parts.

It was now 3am. Braun had gotten the email hive from the radio station in good enough condition to be put on the desktop computer that was found, bought and delivered to the radio station.

As he sat there, wondering “what next?” and was this going to happen again right after all of these mail servers were fixed, all 7,000+ desktops at Universal were rebuilt, the 100+ desktops at the radio station had been rebuilt and the countless other mail servers and desktops that he still needed to fix or rebuild completely. It was 3am, delivered Chinese food and sleep is all that Braun could think any further.

At 6am, Braun was awoke by the general manager at the radio station asking if everything had been fixed and was he able to get his email. The general manager, a very large human being with an incredible large shoe size. As Braun looked up at the general manager, reminding himself that even at only three hours of sleep, he was still in the land of high dollar, instant gratification and that these people could not understand how much work it took to save their entire existence.

Still, he felt like he was being stared at like none other than Godzilla, expecting and answer that he did not get, certain that at any minute he was going to get roasted by the large ball of fire that was going to come out of this man’s mouth.

After managing to find the coffee room on the eight floor of the building that the radio station lay claim to, Braun checked on the hive file that he had just started rebuilding only hours before, knowing the answer, but not wanting to share the news with the station manager just yet, Braun knew it was going to take the better part of the entire day if not all of that day and night before that hive file would be rebuilt.

It was now 7am. Braun called Bill, who had also spent the night on the floor of his office over at Universal Studios, hoping that there would be some glimmer of hope the the hive file over there that was started earlier on the previous day might be finished. In a scruffy voice, reminding Braun that he too had just been woken up, said that it was still in the process of rebuilding when he had gone to his office at 6:30am.

After informing the radio station manager that the mail server would not be working till the next day and having left instructions for the network engineer for document recovery, Braun made his way into downtown Los Angeles on a Saturday morning, expecting light traffic along the way, only to discover the army of off-site tape storage companies were still in overdrive attempting to drop off backup tapes to the thousands of offices in the multitude of 30-50 story buildings that lined the skyline.

As with Universal and the radio station, the lawyers office had suffered the same fate. A worm that had infected all of their servers and again, an email hive file had to be recovered and rebuilt.

During the process of this, Bill from Universal had called to inform Braun the hive file that was being rebuilt was now done and the executives were chomping at the bit to get the mail server up and running again. Bill also informed Braun that one of the vise president’s assistants couldn’t sleep on Thursday night. When she checked her email, there was a email there from her boyfriend with the subject line “I Love You” and containing a text file that was named the same.

For the first time in all of this apocalyptic frenzy, it was now making sense. The attachment was a worm virus that quickly, silently had infected a home computer and now was running rampant among millions of severs and desktops.

Braun informed his lawyer client that he had to go back to Universal. Much to the dismay of the lawyer after having waited for a day for Braun to show up, there was discussion about finding another contractor, Braun left. The answer that Braun so desperately needed had been found and he needed to get to it before it disappeared. Every answer that he needed was in that worm file, while his suspicions were that he would see that file again several more times before all of this was over, he needed to dissect that file to find out what made it tick in hopes of keeping this worm from re-appearing to damage all that had been done to recover from this.

After arriving back to Universal Studios, what Braun discovered was the “I Love You” virus. The I Love You virus, sometimes referred to as Love Bug or Love pak, was a computer worm that attacked tens of millions of Windows personal computers on that faithful day in May.

Starting on May 5, 2000 in the Philippines it started spreading as an email message with the subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.txt.vbs”. The latter file extension ‘vbs’, a type of interpreted file was most often hidden by default on Windows computers of the time as it is an extension for a file type that is known by Windows, leading unwitting users to think it was a normal text file.

Opening the attachment activated the Visual Basic script contained in the file. The worm then inflicts damage on the local machine, overwriting random types of files, including Office files, image files and audio files. However after overwriting MP3 files the virus hid the file, then it would send a copy of itself to all addresses in the Windows Address Book used by Microsoft Outlook. This made it spread much faster than any other previous email worm.

On the machine system level, ILOVEYOU relied on the scripting engine system setting, which runs scripting language files such as .vbs files being enabled, and took advantage of a feature in Windows that hid file extensions by default, which malware authors would use as an exploit. Windows would parse file names from right to left, stopping at the first period character, showing only those elements to the left of this.

The attachment, which had two periods, could thus display the inner fake “txt” file extension. Text files are considered to be innocuous, as they are normally incapable of running executable code. The worm used social engineering to entice users to open the attachment – out of actual desire to connect or simple curiosity – to ensure continued propagation. Systemic weaknesses in the design of Microsoft Outlook and Microsoft Windows were exploited that allowed malicious code capable of complete access to the operating system, secondary storage, and system and user data simply by unwitting users clicking on an icon.

Messages generated in the Philippines began to spread westwards through corporate email systems. Because the worm used mailing lists as its source of targets, the messages often appeared to come from acquaintances and were therefore often regarded as “safe” by their victims, providing further incentive to open them. Only a few users at each site had to access the attachment to generate millions more messages that crippled mail systems and overwrote millions of files on computers in each successive network.

The malware originated in the Pandacan neighborhood of Manila in the Philippines on May 5, 2000, thereafter following daybreak westward across the world as employees began their workday that Friday morning, moving first to Hong Kong, then to Europe, and finally the United States.

The outbreak was later estimated to have caused US$5.5–8.7 billion in damages worldwide, and estimated to cost US$15 billion to remove the worm. Within ten days, over fifty million infections had been reported, and it is estimated that 10% of internet-connected computers in the world had been affected. Damage cited was mostly the time and effort spent getting rid of the infection and recovering files from backups. To protect themselves, The Pentagon, CIA, the British Parliament and most large corporations decided to completely shut down their mail systems. The ILOVEYOU virus infected computers all over the world. At the time it was one of the world’s most destructive computer related disasters ever.

The ILOVEYOU Script, the attachment, was written in Microsoft Visual Basic Scripting which runs in Microsoft Outlook and was enabled by default. The script added Windows Registry data for automatic startup on system boot.

The worm then searched connected drives and replaced files with extensions JPG, JPEG, VBS, VBE, JS, JSE, CSS, WSH, SCT, DOC, HTA, MP2, and MP3 with copies of itself, while appending the additional file extension VBS, making the user’s computer unbootable. However, MP3s and other sound related files were hidden rather than overwritten.

The worm propagated itself by sending out one copy of the payload to each entry in the Microsoft Outlook address book. It also downloaded the Barok trojan renamed for the occasion as “WIN-BUGSFIX.EXE”.

The fact that the virus was written in VBS provided users a way to modify the virus. A user could easily modify the virus to replace important files in the system, and destroy it. This allowed more than twenty five variations of ILOVEYOU to spread across the internet, each one doing different kinds of damage.

Most of the variations had to do with what file extensions were affected by the virus. Others simply modified the email subject in order to make it targeted towards a specific audience, like variant “Cartolina” in Italian, or variant “BabyPic” for adults. Some others only modified the credits to the author, which were originally included in the standard version of the virus, removing them completely or referencing false authors.

On May 5, 2000, two young Filipino programmers named Reonel Ramones and Onel de Guzman became targets of a criminal investigation by agents of the Philippines’ National Bureau of Investigation. Local Internet service provider Sky Internet had reported receiving numerous complaints from European computer users alleging that malware in the form of the “ILOVEYOU” worm had been sent via the ISP’s servers.

After surveillance and investigation by Darwin Bawasanta of Sky Internet, the NBI traced a frequently appearing telephone number to Ramones’ apartment in Manila. His residence was searched and Ramones was arrested and placed under investigation by the Department of Justice. Onel de Guzman was also charged in absentee.

At that point, the NBI were unsure what felony or crime would apply. It was suggested they be charged with violating Republic Act 8484 (the Access Device Regulation Act), a law designed mainly to penalize credit card fraud, since both used prepaid, if not stolen, internet cards to purchase access to ISPs. Another idea was that they be charged with malicious mischief, a felony (under the Philippines Revised Penal Code of 1932) involving damage to property.

The drawback here was that one of its elements, aside from damage to property, was intent to damage, and de Guzman had claimed during custodial investigations that he may have unwittingly released the worm.

To show intent, the NBI investigated AMA Computer College, where de Guzman had dropped out at the very end of his final year. They found that, for his undergraduate thesis, de Guzman had proposed the implementation of a trojan to steal Internet login passwords. This way, he proposed, users would finally be able to afford an internet connection. The proposal was rejected by the College of Computer Studies board, prompting de Guzman to cancel his studies the day before graduation.

Since there were no laws in the Philippines against writing malware at the time, both Ramones and de Guzman were released with all charges dropped by state prosecutors. To address this legislative deficiency, the Philippine Congress enacted Republic Act No. 8792, otherwise known as the E-Commerce Law, in July 2000, just two months after the worm outbreak. As of 2012, the ILOVEYOU virus was regarded as the tenth-most virulent computer virus.

The events inspired the song “E-mail” on the Pet Shop Boys’ UK top-ten album of 2002, Release, the lyrics of which play thematically on the human desires which enabled the mass destruction of this computer infection.

Shared vs VPS Hosting

Reading Time: 7 minutes


When smartphones took over in the early 2000s, data usage and cellphone bills went through the roof for many families — mine included. My family’s shared data plan wasn’t perfect — some months, someone would rack up data usage and leave the rest of us strapped — but it allowed each person to pay a lot less per month than if we each had an unlimited data plan.

In many ways, shared hosting is similar to a family data plan: Responsibility is shared among users, and you’ll be in trouble if you exceed your allotted portion of resources. VPS hosting, however, is more like an individual data plan. While you’ll pay more money to customize it to your needs, you’ll get more resources and control over changing your data setup as you see fit.

Selecting the right hosting service depends on several factors, including resource needs, performance demands, security requirements, cost constraints, server administration preferences, and scalability expectations. Read on for our comparisons.

The Difference Between Shared and VPS Hosting in a Nutshell.

Simply put, shared hosting means your site will share the same server as many other sites. It’s usually the cheapest option but comes with limited bandwidth, administration, and performance capabilities. VPS hosting is a more premium option, with the ability for greater customization and increased performance. But, as with any premium service, you’ll have to pay more to get more.

Next, we’ll cover the key points to consider when choosing between shared and VPS hosting.

1. Server Resources

Shared Hosting:

When you share server resources with others, you’ll face some limitations. While no single account will impact another’s experience, per say, there will be maximum available CPUs, memory/RAM, and disk space. Your website will not be able to use resources beyond the maximum allowed. This may not be a big deal if your website doesn’t require a ton of space or processing power.

VPS Hosting:

With VPS hosting, you’ll enjoy greater private disk space and higher overall resource availability. This will be necessary if you want to expand your business and need to offer customers a user experience that goes beyond the basic shared hosting level.

2. Performance

As you might guess, more resources means more performance. Shared hosting is only as performant as the technologies your host has implemented for speed (e.g., SSDs, caching software, a CDN, etc.). Typically, you have more control over the performance factor with a VPS, but let’s go a little more in-depth.

Shared Hosting:

As with any shared plan, other websites could possibly affect your website’s performance – it’s the risk you run by opting for the more economical shared hosting plan. However, if your performance demands are limited and you value ease of maintenance, shared hosting will likely yield a higher return on investment.

VPS Hosting:

It’s no surprise that VPS hosting offers better overall performance based on the bandwidth it offers users. You’ll have more flexibility to configure your applications on the server, but you’ll need to make sure you have a dedicated system administrator to keep the server running smoothly. If you have high traffic demands or multiple sites to manage, VPS will be the better option.

3. Security

While sharing server resources presents huge benefits from a cost point of view, it can wreak havoc on the security end of things. It really depends on how much the hosting provider has invested (both operational/team and purely financial resources) in ensuring dedicated protection for its shared hosting customers.

Shared Hosting:

While shared hosting is considered very safe, be aware that security breaches can occur simply because a common server cannot guarantee 100% security. The main reason for this is what we call the Noisy Neighbor problem — or the fact that when one shared hosting customer makes a mistake or experiences a technical difficulty, it’ll likely impact other sites because you are all sharing space on the same machine.

VPS Hosting:

You can ensure your site’s security with more robust safety features that are only available through VPS hosting. If your budget allows, you can implement better customer support services that will assist patrons when they need it. If your business needs to protect personal data, it’s worth considering the upgrade to a VPS.

4. Pricing

Pricing for web hosting is a funny thing. You can easily find yourself paying an arm and a leg (upward of $18 per month) on shared hosting and absolutely hate the piss-poor service, or you could spin up a VPS instance for as little as five bucks and never look back. Those are extreme scenarios, of course, but hopefully, you catch my drift.

Shared Hosting:

With shared hosting, you defray the expenses associated with running and maintaining a server because you’re sharing server space with thousands of other websites. From a pure price point, shared hosting is the most economical choice and is a great option for those looking to host a site with standard functionality.

VPS Hosting:

As with any paid service, a more expensive plan offers more premium features, and the same rings true for VPS hosting. If you want to improve your website’s performance, or if you need to increase your business’s online services, VPS hosting will give you better customization and performance options than shared hosting.

5. Server Administration

Long story short, shared hosts handle the hardware for you. You’re responsible for managing your VPS — unless you choose a host that handles server monitoring, bug fixes, and security patches for you (i.e., managed hosting services).

Shared Hosting:

If you choose to host your website on a shared server, there is little to no technical maintenance of the server required on your end. That means you can enjoy basic server administration for your website at no additional cost to your budget or your precious time. For many, this is a huge plus as no dedicated system administrator is needed.

VPS Hosting:

VPS-hosted websites are often more complex in terms of resource management and therefore will usually require a specific system administrator to focus on maintaining the server. The trade off is that you’ll be able to customize your site and configure whatever applications and software you want while increasing performance and security.

6. Scalability

The salability factor is the tipping point for the shared-vs-virtual server debacle. If your site sees, or is expected to see, roughly 30,000 monthly visitors, a shared host can accommodate you and your site’s hosting needs. Much more than that and you might start receiving internal errors from your host. You’ll then need to consider a VPS or dedicated plan, and a VPS can handle any amount of traffic.

Shared Hosting:

While shared hosting is a great option for the short-term, you might face salability issues in the long run depending on how your website grows. If you find you’re maxing out your storage capabilities, or if user demand is exceeding server space, you may need to consider scaling up to eke out better performance.

VPS Hosting:

The customizable features of VPS hosting allow you to scale more quickly and easily. If you predict you’ll eventually need to scale up on the fly to meet demand, the investment in VPS hosting now may pay off in the future.

DNS Security

Reading Time: 8 minutes


Different types of DNS attacks

Ever since its creation, DNS has been known as one of the most critical internet services in existence. It’s the key component that allows your computer to show you content, right before your eyes. Email services, chat services and even social networks rely on DNS to work 24 hours a day, 7 days a week resolving IP addresses into hostnames.

Yes, DNS is that important. And at the same time, it’s one of the most overlooked parts when any organization performs a security hardening of their infrastructure. This is when DNS-based attacks happen — because many organizations don’t realize DNS is a critical attack vector. It’s often found without proper protections, outdated or completely vulnerable.

Today we’re going to talk about the most popular types of DNS attacks that can affect your company.

Domain Hijacking

This type of attack can involve changes in your DNS servers and domain registrar that can direct your traffic away from the original servers to new destinations.

Domain hijacking is often caused by a lot of factors related to exploiting a vulnerability in the domain name registrar’s system, but can also be achieved at the DNS level when attackers take control of your DNS records.

Once the bad guys have hijacked your domain name, it will probably be used to launch malicious activities such as setting up a fake page of payment systems like PayPal, Visa or bank institutions. Attackers will create an identical copy of the real website that records critical personal information such as email addresses, usernames, and passwords.

DNS Flood Attack

This is one of the most basic types of DNS attack. In this Distributed Denial of Service (DDoS), the attacker will hit your DNS servers.

The main goal of this kind of DNS flood is to simply overload your server so it cannot continue serving DNS requests, because the resolution of resource records is affected by all the hosted DNS zones.

This kind of attack is mitigated easily as the source often comes from one single IP. However, it can get difficult when it becomes a DDoS (Distributed Denial of Service) where hundred or thousand hosts are involved.

While a lot of requests will be instantly detected as malicious, a lot of legal requests will be made in order to confuse defense mechanisms. This makes the mitigation system job a little bit harder sometimes.

Distributed Reflection Denial of Service (DRDoS)

When it comes to DDoS, the rules change. As we told you before, in order to diffuse the source of the attack it will be distributed across a large number of hosts. The ultimate goal of any DDoS is to overload your network with a large number of packets or a large number of bandwidth-consuming requests, to either overload your network capacity or to exhaust your hardware resources.

What’s the difference between DDoS and DRDoS?

While a simple DDoS is the act of making any target unavailable by denying their online services with flood requests, the DRDoS is a little bit different, and often more effective.

A DRDoS attack will try to send requests from its own servers, and the trick lies in spoofing the source address that will be set to that of the targeted victim, which will cause all machines to reply back and flood the target.

This kind of attack often involves and is generated by botnets that run compromised systems or services that will be ultimately used to create the amplification effect and attack the target, as seen when KrebsOnSecurity was hit by DRDoS in 2016.

Cache Poisoning

DNS cache poisoning, also known as DNS spoofing, is one of the most common DNS attacks that happen every day.

The trick in this kind of attack is pretty easy to understand. By exploiting system vulnerabilities, attackers will try to inject malicious data into your DNS resolvers’ cache. This is an attack technique often used to redirect victims to another remote server.

Once the cache poisoning attack is live and working, attackers will receive all the legitimate traffic in their own servers, that are often used to show phishing-based pages to steal personal information from visitors.

How does it work?

Most of the time it’s caused by vulnerable systems; opening spam emails containing malicious links can expose you to a system compromise, and ultimately get your DNS resolver cache modified to finally lead you to malicious websites — in order to steal your personal information or infect you with spyware, adware, viruses, etc.

DNS Tunneling

This is a type of cyber attack used to include encoded data from other applications inside DNS responses and queries.

While this technique wasn’t originally created to attack hosts, but to bypass network controls, nowadays it is mostly used to perform remote attacks.

In order to perform DNS tunneling, attackers need to gain access to a compromised system, as well as access to an internal DNS server, a domain name and DNS authoritative server.

How does it work?

  • The DNS client sends a request for a given domain name including the data encoded in the hostname.

  • The DNS server answers back and a two-way connection is established between both parts.

  • Now the attacker can transfer malicious data along with any DNS answer to gain remote access.

DNS Hijacking

While DNS spoofing is often confused with DNS hijacking as both happen at the local system level, they are two different types of DNS attacks.

Most of the time, DNS spoofing or cache poisoning just involves overwriting your local DNS cache values with fake ones so you can be redirected to a malicious website.

On the other hand, DNS hijacking (also known as DNS redirection) often involves malware infections in order to hijack this important system service. In this case, the malware hosted on the local computer can alter the TCP/IP configurations so they can point to a malicious DNS server, one that will eventually redirect the traffic to a phishing website.

This is one of the easiest ways to perform a DNS attack, as it doesn’t involve complicated techniques. Furthermore, there are a lot of automated scripts used by script kiddies to perform this type of attack.

Random Subdomain Aattack

This is not the most frequent type of DNS attack, but it can happen from time to time on certain networks. Random subdomain attacks can often be labeled as DoS attacks, as their nature adheres to the same goal as common DoS.

In this case, attackers send a lot of DNS queries against a valid and existing domain name. However, the queries will not target the main domain name, but a lot of non-existing subdomains. The goal of this attack is to create a DoS that will saturate the authoritative DNS server that hosts the main domain name, and finally, cause the interruption of all DNS record lookups.

It’s an attack that’s hard to detect, as the queries will come from botnets from infected users who don’t even know they’re sending these types of queries, from what are ultimately legitimate computers.


NXDOMAIN attacks are involved in DDoS attacks, as they often involve a huge number of remote DNS clients that will flood your DNS authoritative servers with queries targeting non-existing domains. As a consequence, this will cause a DNS recursion and NXDOMAIN answering back.

The main goal of this attack is to make your DNS server spend time, software and hardware resources in illegitimate requests that will prevent and cause service failure for legitimates ones, as the DNS server cache will be totally filled with NXDOMAIN failure results.

Phantom Domain Attack

Phantom domain attacks are kind of similar to random subdomain attacks.

In this kind of attack, the bad guys attack your DNS resolver and force it to use up resources to resolve what we call “phantom” domains, as these domains will never answer back to the queries.

The goal of this attack is to let the DNS resolver server wait for the answer for a long time, eventually leading to failure or degraded DNS performance issues.


As you see, DNS service is really important for keeping your company websites and online services working day-to-day.

If you don’t conduct a regular DNS audit, remote attackers can see this as an attractive opportunity to perform malicious attacks against your networks. Therefore, it is crucial to keep your DNS servers and traffic always monitored.