A Few Points on Yesterday’s Big DDos Attack

If you had trouble getting to a various websites yesterday it was probably fallout from a huge distributed Denial-of-Service (DDoS) attack:

Criminals this morning massively attacked Dyn, a company that provides core Internet services for Twitter, SoundCloud, Spotify, Reddit and a host of other sites, causing outages and slowness for many of Dyn’s customers.

In a statement, Dyn said that this morning, October 21, Dyn received a global distributed denial of service (DDoS) attack on its DNS infrastructure on the east coast starting at around 7:10 a.m. ET (11:10 UTC).

More coverage of the attack here. “At the peak of the attack, average DNS connect times for 2,000 websites monitored by Dynatrace went to about 16 seconds from 500 milliseconds normally.”

Internet-of-Things-enabled devices appear to be at the heart of the DDoS attack:

According to Dan Drew, the chief security officer at Level 3 Communications, the attack is at least in part being mounted from a “botnet” of Internet-of-Things (IoT) devices.

Drew explained the attack in a Periscope briefing this afternoon. “We’re seeing attacks coming from a number of different locations,” Drew said. “An Internet of Things botnet called Mirai that we identified is also involved in the attack.”

The botnet, made up of devices like home Wi-Fi routers and Internet protocol video cameras, is sending massive numbers of requests to Dyn’s DNS service. Those requests look legitimate, so it’s difficult for Dyn’s systems to screen them out from normal domain name lookup requests.

Earlier this month, the code for the Marai botnet was released publicly. It may have been used in the massive DDoS attack against security reporter Brian Krebs. Marai and another IoT botnet called Bashlight exploit a common vulnerability in BusyBox, a pared-down version of the Linux operating system used in embedded devices. Marai and Bashlight have recently been responsible for attacks of massive scale, including the attack on Krebs, which at one point reached a traffic volume of 620 gigabits per second.

Matthew Prince, co-founder and CEO of the content delivery and DDoS protection service provider CloudFlare, said that the attack being used against Dyn is an increasingly common one. The attacks append random strings of text to the front of domain names, making them appear like new, legitimate requests for the addresses of systems with a domain. Caching the results to speed up responses is impossible.

At least some commenters have pointed to a possible connection between DDoS attacks and web services firm BackConnect Inc.:

The latest comes the day after Doug Madory, director of Internet Analysis at Dyn, gave a presentation at an industry conference about research he had done on questionable practices at BackConnect Inc., a firm that offers web services, including helping clients manage DDoS attacks. According to Madory, BackConnect had regularly spoofed Internet addresses through a technique known as a BGP hijack, an aggressive tactic that pushes the bounds of industry.

Madory’s research was conducted with Brian Krebs, a well-known writer on computer-security issues. Krebs also published an article based on the research last month. Within hours, his website was hit by a “extremely large and unusual” DDoS attack, he wrote.

Perhaps someone with more computer security knowledge than I (Dwight? Borepatch?) might comment on how best to defend from these attacks in the future. Spin up big on-demand cloud clustered DNS VMs when a DDoS attack is detected?

Tags: , , , , , , , ,

One Response to “A Few Points on Yesterday’s Big DDos Attack”

  1. Brendan says:

    Defense and general welfare are the government’s main reasons for existence. Spinning off ICANN instead of creating a way to let them continue their commercial purpose, with the US government backing them up on items such as your spin up big on-demand cloud clustered DNS VMs should have a priority. But our betters fiddle while Rome burns.

Leave a Reply