Thought leadership. threat analysis, news and alerts.
Lessons Learned Four Years After Dyn DDoS Attack
One of the perpetrators of the massive distributed denial-of-service (DDoS) attack that brought down the domain name system (DNS) provider Dyn and major websites pleaded guilty.
In a statement, the U.S. Department of Justice said that on October 21, 2016, the individual, who was a minor at the time, pleaded guilty to creating, in collaboration with other individuals, a botnet that launched several DDoS attacks and impacted the DNS provider Dyn (now owned by Oracle), as a result, taking offline for several hours a number of websites, including the websites of Sony, Spotify, Amazon, Twitter, PayPal, and Netflix.
What Is a DDoS Attack?
A DDoS attack is a type of cyberattack that overwhelms an online resource, such as a website with malicious traffic, taking down the website offline, making it unavailable to legitimate site visitors.
In overwhelming an online resource or online platform with malicious traffic, attackers use a botnet. A botnet refers to hijacked computers, including Internet of Things (IoT), and controlled by the attackers to perform malicious activities including DDoS attacks.
Based on court documents, in September and October of 2016, the attackers, including the one who recently pleaded guilty, created a botnet, which was a variant of the botnet called “Mirai,” in launching the DDoS attacks that resulted in taking down Dyn. The Mirai-variant botnet hijacked IoT devices including video cameras and recorders and turned them into “zombie robots” in launching the DDoS attacks.
"We saw both attack and legitimate traffic coming from millions of IPs across all geographies,” Scott Hilton, Dyn EVP of Product, said in a statement about the attack. “It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”
Role of Domain Name System (DNS) Resolver
Domain Name System (DNS) is one of the infrastructural services that most modern websites critically rely on when servicing web requests.
In searching the internet, users type into the web browsers words such as espn.com. Web browsers interact with Internet Protocol (IP) addresses – referring to addresses that are too complex for users to memorize such as 192.168.1.1 (in IPv4), or more complex IP addresses 2400:cb00:2048:1::c629:d7a2 (in IPv6).
What DNS does is convert these domain names, for instance, espn.com into IP addresses so that web browsers can load the web content. This eliminates the need for users to memorize complex IP addresses. DNS resolver like Dyn, meanwhile, initiates the process that leads to a domain name being translated into the necessary IP address.
DNS resolvers, also known as DNS providers, aren’t immune to cyber risks such as DDoS attacks as shown in the Mirai-Dyn incident. The Mirai-Dyn incident also showed that the reliance on a single third-party DNS resolver like Dyn led to taking offline the websites relying solely on a single DNS resolver.
In the study "Analyzing Third Party Service Dependencies in Modern Web
Services: Have We Learned from the Mirai-Dyn Incident," a team of Carnegie Mellon University researchers found that despite the highly publicized Dyn outage, for the period of 2016 to 2020, 89% of the Alexa top-100K websites critically depend on third-party DNS providers, that is, if these DNS providers go down, for instance through DDoS attacks, these websites could suffer service disruption.
The Carnegie Mellon University study also found third-party critical dependencies are higher for lower-ranked websites. The Carnegie Mellon University researchers added, “Moreover, we observe that redundancy decreases with popularity; i.e., more popular websites care more about availability as compared to less popular ones.”
The DDoS attack on Dyn in 2016 showed that third-party DNS providers aren’t immune to cyber risks such as DDoS attacks that are faced by small organizations.
One lesson out of the DDoS attack on Dyn in 2016 is the need to have a backup DNS resolver or provider. Twitter, for instance, added redundancy or backup by deploying a private DNS in addition to Dyn (now Oracle). Only a few organizations, however, can do what Twitter did as many can’t afford a private DNS infrastructure.
According to Carnegie Mellon University researchers, only a small fraction of websites have DNS infrastructure backup due to the following reasons:
DNS Amplification DDoS attack hit Dyn in 2016. Since DNS is UDP based, it opens the door to IP spoofing and amplification attack. In IP spoofing, attackers falsify the source IP header to mask their identity. UDP-based DNS also allows for an attack amplification technique in which 1Mbps of attack traffic can end up becoming 100Mbps reflected on the victim.
DDoS protection is available against DNS Amplification DDoS attacks. Imperva’s DDoS Protection for DNS is the first destination for all DNS queries. “Acting as a secure proxy, Imperva prevents illegal DNS queries from reaching your server while masking it from direct-to-IP network layer attacks,” Imperva said in a statement.
Steve E. Driz, I.S.P., ITCP