I'd imagine that DDoS attacks is something that DYN and other DNS providers would spend a lot of resources to prevent. Was there something specific about this DDoS attack that DYN was unprepared for? Or is there some reason that distributed natural of DNS makes it hard to prevent DDoS? Anyone know of any steps that DNS guys are taking to prevent another DDoS?
I would like to remind those that think all is lost with this:<p>A serious conversation with vendors about default passwords and backdoors post this incident will help prevent recurrence. This has forced this talk and we are better for it.<p>There was a time when your windows box would get popped from being online for more than 4 minutes. We recovered from this. Conficker in 2008. Blaster in 2003. It was a 'BIG BOTNETS OH NO', but we cleaned up, recovered, hardened. Microsoft went from being botnet enabler to an active force in dismantling bots and crime rings.
It sucks, and some of us have a bad day, but we recover ever stronger.<p>XiongMai Technologies may well find themselves in some international hot water over this incident, and I think they deserve it. They sold a faulty product that caused billions of dollars in lost revenue to some very large internet properties for a day in October 2016.
I would encourage vendors look at these incidents from last decade and how these were turning points for upping their security game. I would encourage its victims to investigate legal recourse.<p>Specifically the current vulnerable nodes of Mirai, i am sure these will be removed from the internet pretty soon. One only gets to fire something like this a few times before the feds are on the door.<p>Your regularly scheduled program will commence shortly.
It's time to apply some serious pain to the junk IoT manufacturers, retailers, distributors, and importers. A nice big billion-dollar lawsuit against Amazon for gross negligence would be a good way to start. US consumer law allows suing everybody in the supply chain. (They can then sue each other and try to sort out who pays, but that's not the victim's problem.)<p>We also need some big recalls. If Homeland Security tells the Consumer Product Safety Commission this is a national safety issue, the CPSC can order a recall. Something like this worked with those exploding "hoverboards". CPSC ordered recalls, Amazon took the junk back, and Amazon refused to pay manufactures in Shentzen. The manufacturers were furious, but hoverboards with crap batteries disappeared from the market very fast.
I think the answer is surprisingly simple: The attack was just huge.<p>The unfortunate truth is that with the Internet of Things the amount of devices that can easily be taken over has grown so fast that we see DDoS attacks of unprecedented size. Even more unfortunate is that there is no sign whatsoever that this is going down again.
The real question here is whether there was anything they could realistically have done to prevent it at all.<p>In order to defend against a DDoS attack, you really only have two options. One is to have sufficient capacity to cope with the extra load without undermining your normal service. The other is to reduce the amount of extra load you have to handle, by identifying and blocking the hostile traffic at some point before your main system deals with it fully.<p>In this case, the scale of the attack was huge thanks to all the woefully insecure IoT devices out there. But worse, from the initial reports it appears that the requests being sent were effectively indistinguishable from valid DNS requests: they came from diverse sources, and asked DynDNS to do exactly what it's normally supposed to do, just for random subdomains that don't actually exist. Unless there is some pattern in those requests that allows for identification of the hostile incoming traffic so it can be dropped early, there's probably very little DynDNS could have done here. And of course the attack is particularly effective because by taking out infrastructure rather than attacking a specific site, it brings down large numbers of high profile sites all at once.<p>It is disturbing, but apparently the reality we face, that there are now so many hopelessly insecure devices on the public Internet that this is possible. The best long term strategy for dealing with it seems to be trying to improve the standards of Internet-connected devices and reduce the number of highly vulnerable devices with access to the Internet, but this was always going to be difficult with IoT products aimed at the general public. I suspect some sort of remediation/recall scheme for manufacturers/vendors and some sort of throttling of users' Internet connections to force them to respond to security recall/update notices may be necessary if this kind of attack starts to become a pattern.
I think this is a plausible theory of the attack - (first seen in from npr report on incident):<p>NANOG 68 BackConnects Suspicious BGP Hijacks is shown 4ish days ago. Last talk of the night, discusses BGP hijacking shenanigans and krebs; touches on MO of possible attacker.
Speaker is Director at Dyn. Attack in retaliation.<p>So far the targets have been organisations that have responded to or made allegations of corrupt DDoS business.<p>Please don't buy into all this cyberwar bullshit, this may just be a well resourced (its really not that hard to pop boxes with default passwords.....) attacker doing criminal response to commentary.
i think there is a larger strategy at play. this is pure speculation and anecdote.<p>recently there has been an aggressive uptick of dns ddos attacks against smaller companies/service providers that run their own dns infrastructure. this includes small/regional internet service providers and individual sites/hosts that still run their own servers.<p>in almost all of these cases that i'm aware of, the smaller companies immediately outsourced their dns services to a larger company, one that ostensibly is able to either absorb, scrub, or otherwise defend against these types of attacks.<p>extrapolating to a global scale, what's happening is a forced consolidation of dns infrastructure into a handful of large players. even in the case of having redundant providers, it's usually two very large providers. and as we just saw today, a terabit-level attack is not something we can readily defend against. what if there's even more in reserve?<p>in other words, we're putting all of our eggs into one basket. and someone is aggregating enough attack capacity to take out nearly the entire internet at once. it doesn't help that everyone is voluntarily consolidating their infrastructure onto a small handful of public cloud providers.<p>we are setting ourselves up for a massive internet outage.
I've been wondering if the UDP nature of a DNS server makes it harder to protect. Particularly coupled with the amplification attacks that DNS makes possible.
if the attack is sufficiently distributed and scale is very large it can knock out even much bigger targets. I think there have been attacks at over 600 Gbps scale.
I've been waiting for some announcement around the Gbps of the DDOS similar to this Cloudflare announcement:<p><pre><code> https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/
</code></pre>
Does DYN routinely deal with very large DDOS which would past this attack in a new category? Can someone who attends security conferences with DYN personnel comment?
Hackers have started to use insecure Internet of Things devices, especially internet connected video cameras, to produce DDoS attacks larger than have ever been seen before. The KrebsonSecurity website was hit by a DDoS that was twice as large as the previous largest attack seen by Akemai, and there have been larger attacks since.<p>The problem will continue, and may get even worse, since many of the insecure internet attached video cameras are insecure because of passwords hard-coded into the devices; they can't be easily made more secure.
I wonder if there's any way to tell apart real-users-requests from fake-users-requests.<p>If I'm not wrong, it's only preventable by increasing the resources of the server, doing anti-bots things like CAPTCHAS (not feasible for stand-alone IoT devices) or detecting weird patterns (which can be masked really easily).<p>How will DDoS attack be preventable in the future? There will be so many things and nano-thing connected to the internet that can act as "attackers". Is getting harder and harder everyday.
I wonder how much of this would be mitigated/avoided if folks would just change to something other than the default credentials on IoT devices?<p>Is it that simple? or am I missing something?