AUTHOR: LILY HAY NEWMAN.LILY HAY NEWMAN SECURITY
DATE OF PUBLICATION: 10.21.16.10.21.16
TIME OF PUBLICATION: 1:04 PM.1:04 PM
FRIDAY MORNING IS prime time for some casual news reading, tweeting, and general Internet browsing, but you may have had some trouble accessing your usual sites and services this morning and throughout the day, from Spotify and Reddit to the New York Times and even good ol’ WIRED.com. For that, you can thank a distributed denial of service attack (DDoS) that took down a big chunk of the Internet for most of the Eastern seaboard.
This morning’s attack started around 7 am ET and was aimed at Dyn, an Internet infrastructure company headquartered in New Hampshire. That first bout was resolved after about two hours; a second attack began just before noon. Dyn reported a third wave of attacks a little after 4pm ET, and called the overall situation a “very sophisticated and complex attack” stemming from tens of millions of IP addresses. In all cases, traffic to Dyn’s Internet directory servers throughout the US—primarily on the East Coast but later on the opposite end of the country as well—was stopped by a flood of malicious requests disrupting the system. Still ongoing, the situation is a definite reminder of the fragility of the web, and the power of the forces that aim to disrupt it.
Ripping Up the Telephone Book
Dyn offers Domain Name System (DNS) services, essentially acting as an address book for the Internet. DNS is a system that resolves the web addresses we see every day, like https://www.WIRED.com, into the IP addresses needed to find and connect with the right servers so browsers can deliver requested content, like the story you’re reading right now. A DDoS attack overwhelms a DNS server with lookup requests, rendering it incapable of completing any. That’s what makes attacking DNS so effective; rather than targeting individual sites, an attacker can take out the entire Internet for any end user whose DNS requests route through a given server.
MORE DDOS NEWS
Hacker Lexicon: What Are DoS and DDoS Attacks?
Internet of Things The New Attack Method for DDoS
GoDaddy Goes Down After Apparent DNS Server Outage
DDoS is a particularly effective type of attack on DNS services because in addition to overwhelming servers with malicious traffic, those same servers also have to deal with automatic re-requests, and even just well-meaning users hitting refresh over and over to summon up an uncooperative page. “DNS registrars typically provide authoritative DNS services for thousands or tens of thousands of domain names, and so if there is a service-impacting event the collateral damage footprint can be very large,” says Roland Dobbins, a principal engineer at Arbor Networks, a security firm that specializes in DDoS attacks.
That these are DDoS attacks is about the extent of the confirmed information available. “Dyn received a global DDoS attack on our Managed DNS infrastructure in the east coast of the United States,” said Dyn executive vice president of products Scott Hilton in a statement during the first outage. “We have been aggressively mitigating the DDoS attack against our infrastructure.”
As Dyn absorbs more and more attacks the scale of the situation is starting to become clear. “There’s nothing really new about [this type of DDoS attack]. We’ve seen them for at least the last three years, they tend to be difficult to stop. But Dyn would see them on a regular basis, we see them on a regular basis. The fact that this is causing Dyn so many problems is pretty good evidence that this is an extremely large attack,” says Matthew Prince, the CEO of the Internet infrastructure company Cloudflare. “There just aren’t that many big DNS providers, so even though there’s no attack pointed to [Cloudflare] we’re seeing a pretty big uptick in errors on our network. It’s causing significant problems across the Internet.”
Access to dozens of sites and services has been disrupted by the attack. Users in some regions like Asia seemed to experience fewer problems than those in the US. Though the topology of the Internet does not directly correspond to physical geography, it does approximate it to a degree, says Dobbins. Since Dyn says the impact was on its East Coast servers, this probably created the localized effect.
“This attack highlights how critical DNS is to maintaining a stable and secure internet presence, and that the DDOS mitigation processes businesses have in place are just as relevant to their DNS service as it is to the web servers and data centers,” Richard Meeus, a vice president of technology at the enterprise security firm NSFOCUS, writes in an email.
What the Botnet
All of which still leaves plenty of open questions, like where the DDoS attack against Dyn originated, and how big it was. Initial reports indicate that the attack was part of a genre of DDoS that infects Internet of Things devices (like webcams, DVRs, routers, etc.) all over the world with malware, and conscripts them into botnet armies to then coordinate, generate, and amplify malicious traffic toward a target. The source code for one of these types of botnets, called Mirai, was recently released to the public, leading to speculation that more Mirai-based DDoS attacks might crop up. Dyn said on Friday evening that the security firms Flashpoint and Akamai detected Mirai bots driving much of the traffic in the attacks. Similarly, Dale Drew, the chief security officer of Internet backbone company Level 3, says that his company sees evidence of their involvement.
There’s also a potential motive to use a Mirai hack against Dyn, or at least a certain irony in it. The company’s principal data analyst, Chris Baker, wroteabout these types of IoT-based attacks just yesterday in a blog post titled “What Is the Impact On Managed DNS Operators?”. It appears he has his answer. And that all DNS services, and their customers, should be on notice.
This post has been updated to include new information about Mirai botnets and to include additional comment from Dyn and Matthew Prince.