How the Seismic DDoS Attack on Dyn Shook the Internet

ddos-attacks-300x300_blue“At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. … The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations.” — Kyle York, Chief Strategy Officer, Dyn

Starting at about 11:10 a.m. UTC (7:10 a.m. EDT) on Friday, Oct. 21, 2016, hackers launched one of the largest distributed denial-of-service (DDoS) attacks against Internet Performance Management company Dyn. The cloud-based Domain Name System (DNS) provider supports many major web properties such as Twitter, Reddit, Spotify, Airbnb, Netflix and Amazon’s web services. When Dyn’s servers and network connections were overwhelmed by the cyberattack, Internet users were unable to access the sites.

To understand the importance of DNS providers, we need to look at a little history. In the days of the ARPANet, which preceded our modern World Wide Web, every computer and router needed to know the location of each connected system on the planet. This rapidly became untenable because the ARPANet’s HOSTS file could not be maintained in a timely manner and ultimately became too large to fit within the memory of the routers. In developing the “information superhighway,” you didn’t need to know the address or location of a service—merely whom to ask; DNS took care of that for you. Every service on the Internet—from PayPal to Yelp—uses DNS servers to translate a domain name, such as www.twitter.com, to its numeric Internet Protocol (IP) address on the electronic planet. By asking a DNS for the Internet address, you receive an easy-to-use and easy-to-remember domain name instead of complex numbers that can change.

Many companies outsource their DNS management to organizations that specialize in this technology. When Dyn was targeted by a DDoS attack, the Internet lookup requests failed and services such as Twitter became unavailable.

Dyn still hasn’t disclosed the size of the attack or how much data volume it consumed. On their blog, Dyn reports an unconfirmed attack rate of 1.2 gigabits per second. But we do know of two other incidents that may be related. Cybersecurity reporter Brian Krebs’ website was targeted on Sept. 20 at the rate of 620 Gbps—a short-lived record. Around the same time, Internet hosting provider OVH was attacked at the rate of 1 terabit per second. The attack against Mr. Krebs and Dyn may be in retaliation for reporting and presentations about DDoS attacks, including those by one of Dyn’s researchers, Doug Madory.

Historically, these attacks have used massive networks of infected computers enlisted into a Botnet through malicious software surreptitiously loaded onto victims’ computers. Unwitting consumers and business systems are hijacked when users open a compromised website or a mal-crafted email attachment.

The series of Dyn attacks, however, are different. The Botnet software Mirai used latent security vulnerabilities in Internet-connected home devices.

Smart technology such as Internet-connected lightbulbs, thermostats, DVRs and home surveillance cameras contain their own embedded computers and operating systems. Once enabled and configured, they connect through home routers to the Internet; from there people can watch what’s happening in their houses, change the temperature in a room, or even pick the hue of a lightbulb. Vendors who make these products have accompanying smartphone apps, so your home devices are always accessible—and that’s potentially desirable if someone wants to watch a program on their home DVR from their Apple iOS or Google Android phone or tablet.

Called the Internet of Things (IoT), many people view these smart devices as incredible conveniences. Research firm Gartner estimates that 6.4 billion IoT units will be in use worldwide in 2016.

The manufacturers who make IoT devices created their products with common security vulnerabilities and exploitable services available to the Internet. The IoT devices hijacked by Mirai had unsecured command-line user interfaces exposed to the Internet through networking protocols such as Telnet and Secure Shell (SSH). Worse, these IoT devices had hard-wired, well-known default passwords that could not be changed.

Mirai turned these IoT webcams and DVRs into Internet weapons used to launch DDoS attacks against Mr. Krebs and Dyn, all because of often non-existent security.

Businesses and governments across the Internet need to prepare to protect themselves from similar attacks. The two main mechanisms that a business can apply are redundancy and the use of anti-DDoS services. Using several Internet Service Providers can prevent a bottleneck when a connection is overloaded, while having multiple DNS servers on different networks across the planet is crucial to ensure one attack doesn’t cripple the entire infrastructure. Commercial products from ISPs and anti-DDoS companies also help mitigate the damage through additional services such as spreading connection points across the Internet (known as load-balancing) and suppressing malicious traffic in the network before it reaches the victim organization.

In these DDoS scenarios, attackers infected unwitting victims’ computers and IoT devices. Maintaining current antivirus software and keeping up with software vendors’ patches are key. For IoT devices, it’s vital that strong passwords and the latest firmware are being used.

With the DDoS attack against Dyn and the effect it had on some of the world’s most popular websites, it’s clear that no domain is entirely safe. Hackers, DDoS attacks, malware—there are any number of threats that every company should safeguard against. The lesson learned is that vigilance is the key.

Related Courses
Cybersecurity Foundations
Certified Network Defender (CND)
Certified Ethical Hacker v9

In this article

Join the Conversation