Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: ISC Briefing: Large DDoS Attack Against Dyn - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
ISC Briefing: Large DDoS Attack Against Dyn

Last Friday, a large DDoS attack against Dyn caused many popular websites to be unreachable. The outage was discussed on mainstream news outlets. It is likely that you will be asked to brief your boss or your team about this attack. To help you out, we prepared a brief presentation that you may use as part of such a briefing. We publish the slides and a video of the presentation for you to use. You may modify the slides at will (add/remove to them) . But please give us credit if you use any of the material.

If you have any feedback, please let us know. We may update the presentation later this evening based on any suggestions we receive.

Powerpoint Slides: https://isc.sans.edu/presentations/dyndnsattack.pptx

YouTube Video of Presentation: https://youtu.be/AsEzDXjyhG8

I hope you will find this useful.We also had a webcast about a week ago about the Mirai botnet. You can find this webcast here: https://www.sans.org/webcasts/103182

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS London September 2019

Johannes

3626 Posts
ISC Handler
Johannes what does "Evaluate your dependency on DNS, specifically for your most critical domains" mean? The wording suggests using something other than DNS for name resolution. Workable for apps on mobile devices if I control the code (i.e. hardcoded IP addresses) but was that your intention? Or, did you mean to evaluate and consider using multiple DNS providers?
Kaldek

12 Posts
In some cases, business critical processes may not need DNS (but I admit, most will). Maybe a host file can be used as a workaround internally. IP addresses should never be hardcoded into code. That tends to create more problems then it solves. But a host file, or the ability to add specific zones to an internal DNS server, may be appropriate to mitigate an external DNS outage.
Johannes

3626 Posts
ISC Handler
Unfortunately hosts files cannot scale for a company of even moderate size. While we were not directly affected, several critical vendors we work with many times a day were down. They had no website, no customer portals, no way to transfer files to them and they had no inbound email. They also had a "phone DDoS" because their account rep voicemail boxes were full as were cell phone voicemail boxes, undoubtedly because almost every customer they had was calling them.

And, of course, we were experiencing higher call volumes because our people could not get to their vendors. It always rolls downhill.
Anonymous
Instead of host files, adding respective entries to a recursive name server can scale a bit better. But either way, it will be uggly and often it just will not work. But the high call volume is a good point, and something to consider when you try to figure out the impact of a DNS outage. And VoIP may of course depend on DNS as well. (email delivery of voice messages will)
Johannes

3626 Posts
ISC Handler
Thanks Johann, I understand what you were saying now.
Kaldek

12 Posts
One of the bullet points in Slide 7 - (How can we minimize the risk), states "This requires additional tools and setup to make sure information is sync’d across different providers".
What are these specific tools and setup exactly?
AAInfoSec

48 Posts
Minor typo on 2nd last slide: s/devises/devices/
Paul

3 Posts

Sign Up for Free or Log In to start participating in the conversation!