nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

DNS devastation: Top websites whacked offline as Dyn dies again

Twitter, Amazon, AirBnB, Github and many others hit in DDoS attack on infrastructure

By Kieren McCarthy, 21 Oct 2016

An extraordinary, focused attack on DNS provider Dyn continues to disrupt internet services for hundreds of companies, including online giants Twitter, Amazon, AirBnB, Spotify and others.

The worldwide assault started at approximately 11am UTC on Friday. It was a massive denial-of-service blast that knocked Dyn's DNS anycast servers offline, resulting in knock-on impacts across the internet. Folks immediately started reporting problems; millions of people are affected.

After two hours into the initial tidal wave of junk traffic, Dyn announced it had mitigated the assault and service was returning to normal. But the relief was short lived: just about an hour later, the attack resumed and at the time of writing (1800 UTC), not only is Dyn's service still down but its website is too.

(Aptly, Dyn researcher Doug Madory had recently given a talk on DDoS attacks.)

By blasting Dyn offline, public DNS providers – such as Google and broadband ISPs – are unable to contact Dyn to lookup hostnames for netizens, preventing people from accessing sites using Dyn for DNS.

OpenDNS is about the only major public DNS provider weathering the storm – if you're having problems connecting to websites, you should use OpenDNS's resolvers at 208.67.222.222 and 208.67.220.220. OpenDNS uses smart caching during outages to keep looking up hostnames even if the websites' backend DNS is flooded off the 'net.

What's happening is basically this: your browser or app tries to connect to somewebsite.com using a public DNS resolver, such as Google's or your cable provider. That resolver tries to get hold of Dyn to lookup the IP address for somewebsite.com, but can't because Dyn's systems have been shoved offline so the resolver gives up. Your software therefore can't get an IP address to connect to and also gives up with an error message.

Efforts to uncover the root cause or source of the traffic tsunami have proven fruitless: even the main switchboard is going through to voicemail. Staff are not answer their email or mobile phones and the company's own separate status page has not been updated for over an hour at the time of writing.

An update at 4.48pm UTC read: "This DDoS attack may also be impacting Dyn Managed DNS advanced services with possible delays in monitoring. Our Engineers are continuing to work on mitigating this issue."

What's the impact?

Dyn provides managed DNS services to a huge array of companies. Ironically, that means that it promises to protect companies from the very DDoS attack that is currently suffering.

By paying for a company to manage your own organization's DNS, the theory is that you can save yourself a lot of time and money by not having to hire IT staff or purchase hardware to handle internet infrastructure issues like DNSSEC, IPv6, and a range of logging and reporting systems.

Dyn is one of roughly 10 large companies that offers this service for anything ranging from $10 a month for a single domain to thousands of dollars a month for large internet companies.

What is most remarkable about this attack however is that it is specifically targeted at the provider of those services, rather than any particular company.

With no information coming out of Dyn, it is impossible to know exactly what is going on and why, but the fact that it comes just a month after an enormous DDoS on security researcher Brian Krebs' website is raising eyebrows.

That also was a specific targeted attack and the reason behind it was thought to be Krebs' research on DDoS attacks. The attack was one of the largest ever seen online, and the make matters worse, the source code to create the botnet that was used in the attack was then released into the wild.

It's not know if the person behind Krebs' attack is the same one that is attacking Dyn but since Dyn is a company really only known to DNS infrastructure people, it is looks likely.

Experts

A raft of security experts have jumped on the issue, with most warning that the DNS itself has very little to protect itself against such an attack.

Richard Meeus, VP of technology at NSFOCUS, which specializes in handling DDoS attacks noted: "DNS has often been neglected in terms of its security and availability from an enterprise perspective – it is treated as if it will always be there in the same way that water comes out of the tap and electricity is there when you switch it on.

"This attack highlights how critical DNS is to maintaining a stable and secure internet presence, and that the DDOS mitigation processes businesses have in place are just as relevant to their DNS service as it is to the web servers and datacentres."

Lee Munson, a security researcher at Comparitech.com, noted the irony of Dyn going down: "Any company running its own website may well have its own technology in place to mitigate DDoS attacks, but it’s all for nought if the DNS provider itself is not applying a sufficient enough level of protection to its own servers and data centres."

David Gibson, VP of strategy at Varonis, noted: "Like many of our aging technologies, DNS wasn’t built with security in mind… DNS is one of the aging technologies the industry is struggling to update, along with one-factor authentication and unencrypted web connections – the list is very long, and the stakes have never been higher."

Craig Young, a security researcher at Tripwire, added to the general concern: "As with most software designs from the 1980s, security was generally not considered when creating DNS. Because the web is so dependent on this system, it becomes a very visible point of failure as is the case today with service provider Dyn."

And Paul Calatayud, CTO of FireMon, reflected briefly on what this meant for Dyn itself: "What causes me to pause and reflect most in regards to this breaking news is that Dyn DNS is a DNS SaaS provider. Its core job is to host and manage DNS services for its clients. The impact and harm has a ripple effect attributed to the various clients Dyn services. As attackers evaluate their targets, and organisations run to the proverbial cloud for various reasons, it introduces interesting targets for the bad guys."

While we don't know exactly what is going on behind the scenes, two things are for certain: first, this is a game-changer and will be reviewed and talked about for some time; and second, Dyn has suffered a huge loss in reputation; one that will only get worse the longer it stays offline. ®

See our latest story Dyn DDOS explained, for latest updates

The Register - Independent news and views for the tech community. Part of Situation Publishing