My next class:

Dyn.com DDoS Attack

Published: 2016-10-21. Last Updated: 2016-10-21 16:36:22 UTC
by Johannes Ullrich (Version: 1)
9 comment(s)

Dyn.com, a popular dynmic DNS provider and provider of commercial managed DNS services is currently experiencing a massice DDoS attack. As a result, many sites that are using Dyn.com's services are experiencing issues. 

Affected are not just home/hobby sites that traditionally use dynamic DNS services, but also large "name brand" sites that use Dyn.com's managed DNS service. For example Twitter, Spotify, Etsry, Github and others (domains hosted by Dyn.com often use *.dynect.net name servers)

You can find status updates from Dyn.com here: https://www.dynstatus.com

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords:
9 comment(s)
My next class:

Comments

I don't have any IOT gadgets to exploit, but clearly lots of people do. Please have one of your experts write a tutorial about how homeowners or small businesses can use their firewall or router to block out-bound, inappropriate, traffic from IOT crap they have on their network. Obviously this needs to evolve to be more effective, but what can we do NOW?
The scale of this is quite astounding; it's even reached mainstream news media as a banner article: http://www.cnbc.com/2016/10/21/major-websites-across-east-coast-knocked-out-in-apparent-ddos-attack.html
That is the price we ar paying for the concentration in internet business...
This is the price we are paying for the ongoing concentration among ISP's. Defense from DDOS need Distributed Internet Service Providers ...
Curious to know Dyn DNS setup. NSLOOKUP lists 7 name servers for Dyn. Are they using Anycast DNS, Geo DNS or other means to protect against attacks?

If a site is well protected, the attacker can still bring it offline by attacking the name servers.
Most company sites have anti-DDoS protection, but how well do they secure their DNS services?
Will we see more attacks via a company's DNS servers?

Something to think about...
Just for the record ...

Some of the affected sites "rely" on DYN, and some "use" DYN ...


CNBC.com nameserver = ns1.p24.dynect.net
CNBC.com nameserver = ns2.p24.dynect.net
CNBC.com nameserver = ns3.p24.dynect.net
CNBC.com nameserver = ns4.p24.dynect.net

Amazon.com nameserver = ns1.p31.dynect.net
Amazon.com nameserver = ns2.p31.dynect.net
Amazon.com nameserver = ns3.p31.dynect.net
Amazon.com nameserver = ns4.p31.dynect.net
Amazon.com nameserver = pdns1.ultradns.net
Amazon.com nameserver = pdns6.ultradns.co.uk

Twitter.com nameserver = ns1.p34.dynect.net
Twitter.com nameserver = ns2.p34.dynect.net
Twitter.com nameserver = ns3.p34.dynect.net
Twitter.com nameserver = ns4.p34.dynect.net

Spotify.com nameserver = ns2.Spotify.com
Spotify.com nameserver = ns3.Spotify.com
Spotify.com nameserver = ns4.Spotify.com
Spotify.com nameserver = ns5.Spotify.com

PayPal.com nameserver = ns1.p57.dynect.net
PayPal.com nameserver = ns2.p57.dynect.net
PayPal.com nameserver = pdns100.ultradns.net
PayPal.com nameserver = pdns100.ultradns.com
PayPal.com nameserver = ppns1.phx.PayPal.com
PayPal.com nameserver = ppns2.phx.PayPal.com

Netflix.com nameserver = ns-81.awsdns-10.com
Netflix.com nameserver = ns-659.awsdns-18.net
Netflix.com nameserver = ns-1372.awsdns-43.org
Netflix.com nameserver = ns-1984.awsdns-56.co.uk

Hmm. SPOTIFY (currently) has no reliance on DYN. Did they migrate away?
A number of customers did migrate away, including GitHub. I can't confirm Spotify specifically migrated DNS providers to mitigate, but it stands to reason.
Besides using multiple DNS providers, any other best practices, such as the TTL value?
see the "Briefing" article for a bit more about this. But TTLs are tricky. Long TTLs will limit the damage of a DDoS attack against your DNS service, but they can make it harder to mitigate an attack against your Web or Mail server. It is important to find the right balance. I don't think there is a "one size fits all" solution.

Diary Archives