Home & Office

​Dyn DDoS part 2: The hackers strike back

UPDATED: You may never have heard of Dyn, but you know the sites it supports — and they all appeared offline to many on Friday because of a massive flood attack. The assault was defeated late Friday night, but more such attacks can be expected.
Written by Steven Vaughan-Nichols, Senior Contributing Editor
Bad day on the Internet

A massive DDoS is making October 21 a bad day for many internet users around the world.

(Image: Akamai)

I told you so. I warned you we were on the verge of attacks that could knock the internet off, and now we're seeing the first of them. Dyn, a major Domain Name System (DNS) service provider, is being assaulted by a global Distributed Denial of Service (DDoS) attack. Because Dyn provides DNS services for household-name websites such as AirBnB, GitHub, Spotify, Reddit, and Twitter, these sites have essentially been down for hours.

At this point we don't know a lot about the attacks. We can presume they are massive in scale. How big is that? Try terabit-per-second DDoS levels.

According to Andrew Sullivan, Dyn fellow and chair of the Internet Architecture Board on the Internet Outage announcement mailing list, the attack is being made against "the Dyn managed DNS infrastructure, which is the anycast deployment." This is the service that major companies use to make sure their DNS services work smoothly. Without these services -- think of them as the internet's master phonebook -- you can't easily find websites.

Sullivan wouldn't go into any further details on the attack. He said, "I'm not in a position to disclose details about the attack just now (partly because I'm leaving the people doing the mitigation alone so they can focus on that rather than providing detailed attack reports), but this is a significant attack".

For up-to-date accurate data on how Dyn is doing with fending off the attack, Sullivan recommended the Dyn Status Update page. At this time, 4:10 pm EST, Dyn Managed DNS advanced service monitoring is back up, but the DDoS attack continued unabated: "Our engineers are still investigating and mitigating the attacks on our infrastructure."

Ironically, Dyn's cheaper, personal services are not being attacked. They continue to work as always. This attack was clearly meant to cause the most damage possible to major websites.

It looked earlier today like the Dyn DDoS attack has been surmounted. A second attack, which began at approximately 12:38 pm EST, has been knocking down Dyn's services, and thus its customers' web presence, for hours.

Until the attack is resolved, users will continue to have trouble reaching many popular websites. It's especially worrisome that, rather than a site itself being attacked, the hackers are going after a DNS provider.

Paul Calatayud, CTO of FireMon, an internet firewall and security company, explained, "DDoS is not a new form of attack in of itself, but methods and strategies around DDoS continue to evolve in the form of larger and more orchestrated attacks. What causes me to pause and reflect most in regards to this breaking news is that Dyn DNS is a DNS Software-as-a-Service (SaaS) provider. Its core job is to host and manage DNS services for its clients. The impact and harm has a ripple effect."

What can you do? Steve Grobman, Intel Security CTO, explained to ZDNet, "It's a reminder of one risk of relying on multi-tenant service providers, be they DNS, or a variety of many other managed cloud service providers."

Calatayud added, "Companies need to start planning for these kind of attacks. Begin to plan for situations where cyber-attacks against you may never be directed at you, but rather organizations you come to rely upon. In the case of this attack and DNS, having a secondary DNS service operating at the same time may have mitigated the impact to your organization even when your primary provider goes down."

One way of dealing with such DDoS attacks is the road taken by Netflix. Netflix uses the open-source program Denominator to support managed, mirrored DNS records across AWS Route53, RackSpace CloudDNS, DynECT, and UltraDNS. This way, even when a DDoS knocks out DynECT, or other major DNS provider, Netflix keeps running, albeit at a slower pace.

If you're able to access your favorite sites on Friday afternoon, it's not because the problem has been fixed. It hasn't. What has happened is that the sites have switched over to alternative DNS providers. As of 5:30 pm EST Dyn is still under attack.

By 10 pm EST, Dyn reported "our engineers were again able to mitigate the attack and service was restored." A quick check of the most important sites shows that the attack has been fended off.

This is no reason to relax. While Dyn recovered, the attack took down multiple sites for almost half-a-day. You must plan for the next wave of DDoS attacks aimed at our DNS providers. They will come. You must be ready.

Related Stories:

Editorial standards