DNS host Dyn is continuing to deal with issues caused by a series of distributed denial of service (DDoS) attacks Friday that knocked out service to major websites, including Amazon, Twitter, Spotify, Reddit.
The first attack came around 4 a.m. Pacific Friday morning, and several others have followed. Dyn’s update page says the company is “continuing to investigate and mitigate several attacks aimed against the Dyn Managed DNS infrastructure.” It turns out, the attacks may have come in huge volume.
— The Register (@TheRegister) October 21, 2016
That could be because the attackers may be using a type of botnet attack called Mirai that, according to security news site Krebs on Security, “enslaves IoT devices for use in large DDoS attacks.”
The Department of Homeland Security told CNBC that it is “looking into all potential causes” of the attack. Reuters reported that the FBI is also investigating who was responsible. DDoS attacks are typically caused by overloading a website’s server with excessive/fake requests. You can read more about DDoS attacks here.
But what exactly happened in this case? We reached out to a few tech experts to learn more about the attacks that took down many major website caused one GeekWire reporter to question herself and everything she holds dear.
Frits Habermann, who is CTO of photo editing company PicMonkey and former CTO of Lynda.com and PopCap Games, told GeekWire via email that DNS services like Dyn are middlemen that act as a phonebook for the internet, and when they go down, pretty much every website using their service goes with them. Habermann continues:
There is not much companies can do to fix the middle-man service themselves, or at least not things you would want to do for long lest they expose you to more serious attacks. For example, there are ways to store the “phone book entry” along the internet path, typically using a “cache” of some sort. When the translation from “www.picmonkey.com” to IP Address 18.104.22.168 needs to be made, it has recorded that upstream from the middle-man and doesn’t need to look it up again.
These caches can be told to not refresh themselves for a bit, and that could be useful when a step along the internet path is having an issue (or is under attack). This “Time To Live” amount, however, opens the cache up to an even more dangerous type of attack where the actual “phone book entry” is altered to point to someplace else; essentially hijacking the connection for a while until the cache is refreshed. If it’s not refreshed for a while, this virus just sits there doing bad things.
Home computers and routers can be susceptible to this sort of attack, where a cached DNS lookup table has been established for common destinations (youtube, netflix, amazon), and a virus manipulates those entries to point to their things instead. There are more complicated solutions as well, but again, some carry their own, sometimes even more dangerous, misgivings. Mostly companies like PicMonkey will reach out to their customers using social media to tell them of the issue (well, maybe not Twitter today), or host some of our customer support traffic from a different place not connected through Dyn.
Here’s what Corey Nachreiner, CTO at WatchGuard Technologies and GeekWire contributor, had this to say when we asked how organizations can mitigate the threats of DDoS attacks:
So how can a CTO prevent this against their organization? Well, that’s a somewhat complex problem. In the case of most direct DDoS attacks, which are flooding your infrastructure, I recommend some sort of cloud-based DDoS protection service. There are local DDoS protection appliances, but even they can become overwhelmed with the sheer scale of some of the DDoS attacks today (the latest allegedly reaching 1Tbps).
Cloud or hybrid DDoS solutions handle much of the attack up-stream, distributing some of the load through a large, distributed network, and blocking much of the traffic before it even reaches your gates. That said, today’s DDoS attack was not an attack on Netflix, Twitter, or others directly…
Rather it was an attack on a DNS service that plays a core role on the Internet. If the services you rely on to direct customers to your domain goes down, you can contact your DNS registrar to temporarily redirect your domain to another server until the other recovers. There is little we can do to protect against these services directly, because they are out of our direct control. In short, this is an industry problem. Critical service vendors, like DNS hosts, need to implement strong DDoS protection themselves, as they play a critical part in how the Internet works.