DDoS Attack Against Dyn Managed DNS

Out of curiosity, why do caching DNS resolvers, such as the DNS resolver I run on my home network, not provide an option to retain last-known-good resolutions beyond the authority-provided time to live? In such a configuration, after the TTL expiration, the resolver would <i>attempt</i> to refresh from the authority&#x2F;upstream provider, but if that attempt fails, the response would be a more graceful failure of returning a last-known-good resolution (perhaps with a flag). This behavior would continue until an administrator-specified and potentially quite generous maximum TTL expires, after which nodes would finally see resolution failing outright.<p>Ideally, then, the local resolvers of the nodes and&#x2F;or the UIs of applications could detect the last-known-good flag on resolution and present a UI to users (&quot;DNS authority for this domain is unresponsive; you are visiting a last-known-good IP provided by a resolution from 8 hours ago.&quot;). But that would be a nicety, and not strictly necessary.<p>Is there a spectacular downside to doing so? Since the last-known-good resolution would only be used if a TTL-specified refresh failed, I don&#x27;t see much downside.

Relevant (or at least a-propos) post by Bruce Schneier, from a month ago: &quot;Someone Is Learning How to Take Down the Internet&quot;<p><a href="https:&#x2F;&#x2F;www.schneier.com&#x2F;blog&#x2F;archives&#x2F;2016&#x2F;09&#x2F;someone_is_lear.html" rel="nofollow">https:&#x2F;&#x2F;www.schneier.com&#x2F;blog&#x2F;archives&#x2F;2016&#x2F;09&#x2F;someone_is_le...</a><p>Edit: And to be clear: I don&#x27;t mean to imply there&#x27;s any connection :)

I wanted to provide an update on the PagerDuty service. At this time we have been able to restore the service by migrating to our secondary DNS provider. If you are still experiencing issues reaching any pagerduty.com addresses, please flush your DNS cache. This should restore your access to the service. We are actively monitoring our service and are working to resolve any outstanding issues. We sincerely apologize for the inconvenience and thank our customers for their support and patience. Real-time updates on all incidents can be found on our status page and on Twitter at @pagerdutyops and @pagerduty. In case of outages with our regular communications channels, we will update you via email directly.<p>In addition you can reach out to our customer support team at support@pagerduty.com or +1 (844) 700-3889.<p>Tim Armandpour, SVP of Product Development, PagerDuty

I&#x27;m a GitHub employee and want to let everyone know we&#x27;re aware of the problems this incident is causing and are actively working to mitigate the impact.<p>&quot;A global event is affecting an upstream DNS provider. GitHub services may be intermittently available at this time.&quot; is the content from our latest status update on Twitter (<a href="https:&#x2F;&#x2F;twitter.com&#x2F;githubstatus&#x2F;status&#x2F;789452827269664769" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;githubstatus&#x2F;status&#x2F;789452827269664769</a>). Reposted here since some people are having problems resolving Twitter domains as well.

To get on github you can add to your &#x2F;etc&#x2F;hosts:<p><pre><code> 192.30.253.113 github.com 151.101.32.133 assets-cdn.github.com </code></pre> And it seems faster than normal right (less users).<p>Edit; for profile pics include:<p><pre><code> 151.101.32.133 avatars0.githubusercontent.com 151.101.32.133 avatars1.githubusercontent.com 151.101.32.133 avatars2.githubusercontent.com 151.101.32.133 avatars3.githubusercontent.com 151.101.32.133 avatars4.githubusercontent.com 151.101.32.133 avatars5.githubusercontent.com</code></pre>

So who was prepared for this? Pornhub:<p>pornhub.com:<p><pre><code> Name Server: ns1.p44.dynect.net Name Server: ns2.p44.dynect.net Name Server: ns3.p44.dynect.net Name Server: ns4.p44.dynect.net Name Server: sdns3.ultradns.biz Name Server: sdns3.ultradns.com Name Server: sdns3.ultradns.net Name Server: sdns3.ultradns.org </code></pre> ultradns.biz:<p><pre><code> Name Server: PDNS196.ULTRADNS.ORG Name Server: ARI.ALPHA.ARIDNS.NET.AU Name Server: ARI.BETA.ARIDNS.NET.AU Name Server: ARI.GAMMA.ARIDNS.NET.AU Name Server: ARI.DELTA.ARIDNS.NET.AU Name Server: PDNS196.ULTRADNS.NET Name Server: PDNS196.ULTRADNS.COM Name Server: PDNS196.ULTRADNS.BIZ Name Server: PDNS196.ULTRADNS.INFO Name Server: PDNS196.ULTRADNS.CO.UK</code></pre>

I was not aware of the attacks going on until this happened:<p>1. Tried to download &quot;Unknown Horizons&quot; (game featured recently on Hacker News) binary, github-link doesn&#x27;t work.<p>2. Think &quot;Ok, might be an old link&quot;, google their github-repository, github appears down.<p>3. Try accessing github status website, is down.<p>4. Interested, try to visit github status twitter account, twitter is down.<p>Really weird experience, normally at least the second source of news on a downed website I try during an attack works.

According to Fortune, Hacker News &quot;reported&quot; on the incident. Are we journalists now?<p>&quot;Popular tech site Hacker News reported many other sites were affected including Etsy, Spotify, Github, Soundcloud, and Heroku.&quot; -- <a href="http:&#x2F;&#x2F;fortune.com&#x2F;2016&#x2F;10&#x2F;21&#x2F;internet-outages&#x2F;" rel="nofollow">http:&#x2F;&#x2F;fortune.com&#x2F;2016&#x2F;10&#x2F;21&#x2F;internet-outages&#x2F;</a>

Very funny guys, can you stop now? We have a demo in 4 minutes.

I can&#x27;t currently get resolution on www.paypal.com.<p>$ dig @8.8.8.8 www.paypal.com<p>; &lt;&lt;&gt;&gt; DiG 9.8.1-P1 &lt;&lt;&gt;&gt; @8.8.8.8 www.paypal.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -&gt;&gt;HEADER&lt;&lt;- opcode: QUERY, status: SERVFAIL, id: 17925 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0<p>;; QUESTION SECTION: ;www.paypal.com. IN A<p>;; Query time: 29 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Fri Oct 21 12:35:33 2016 ;; MSG SIZE rcvd: 32

I am confused. Are so many big websites using Dyn, or does Dyn have some special role in the DNS chain in the US?

I&#x27;m updating a list of confirmed outages as I see them here <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12759520" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12759520</a><p>So far twitter, etsy, soundcloud, spotify, github, pagerduty...crazy that this can even happen

Journalist and security researcher Brian Krebs believes this is someone doing a DDoS as payback for research into questionable &quot;DDoS mitigation services&quot; that he and Dyn&#x27;s Doug Madory did. Doug just presented his results yesterday at NANOG and Krebs believes this is payback. Read more: <a href="https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2016&#x2F;10&#x2F;ddos-on-dyn-impacts-twitter-spotify-reddit&#x2F;" rel="nofollow">https:&#x2F;&#x2F;krebsonsecurity.com&#x2F;2016&#x2F;10&#x2F;ddos-on-dyn-impacts-twit...</a>

I&#x27;m wondering, from a regulatory perspective, what might be done to mitigate DDoS attacks in the future?<p>From comments made on this and other similar posts in the past, I&#x27;ve gathered the following:<p>1) Malicious traffic often uses a spoofed IP address, which is detectable by ISPs. What if ISPs were not allowed to forward such traffic?<p>2) There is no way for a service to exert back pressure. What if there was? e.g. send a response indicating the request was malicious (or simply unwanted due to current traffic levels), and a router along the way would refuse to send follow up requests for some time. There is HTTP status code 429, but that is entirely dependent on a well-behaved client. I&#x27;m talking about something at the packet level, enforced by every hop along the way.<p>3) I believe it is suspected that a substantial portion of the traffic is from compromised IoT devices. What if IoT devices were required to continually pass some sort of a health check to make other HTTP requests? This could be enforced at the hardware&#x2F;firmware level (much harder to change with malware), and, say, send a signature of the currently running binary (or binaries) to a remote server which gave the thumbs up&#x2F;down.

Analysis of the Mirai botnet: [1]<p>This is worth reading. It has links to copies of the code and names the known control servers. Quite a bit is known now about how this thing works.<p>The bots talk to control servers and report servers. The attacker appears to communicate with the report servers over Tor.<p>[1] <a href="http:&#x2F;&#x2F;blog.level3.com&#x2F;security&#x2F;grinch-stole-iot&#x2F;" rel="nofollow">http:&#x2F;&#x2F;blog.level3.com&#x2F;security&#x2F;grinch-stole-iot&#x2F;</a>

Although I don&#x27;t like to to recommend Google products, they provide a provide a public DNS-over-HTTPS interface that should be useful for people who want to add specific entries into their &#x2F;etc&#x2F;hosts files: <a href="https:&#x2F;&#x2F;dns.google.com&#x2F;query?name=github.com&amp;type=A&amp;dnssec=true" rel="nofollow">https:&#x2F;&#x2F;dns.google.com&#x2F;query?name=github.com&amp;type=A&amp;dnssec=t...</a>

&quot;digikey.com&quot;, the big electronic part distributor, is currently inaccessible. DNS lookups are failing with SERVFAIL. Even the Google DNS server (8.8.8.8) can&#x27;t resolve that domain. Their DNS servers are &quot;ns1.p10.dynect.net&quot; through &quot;ns4.p10.dynect.net&quot;, so it&#x27;s a Dyn problem.<p>This will cause supply-chain disruption for manufacturers using DigiKey for just-in-time supply.<p>(justdownforme.com says the site is down, but downforeveryoneorjustme.com says it&#x27;s up. They&#x27;re probably caching DNS locally.)

Switch to OpenDNS servers - 208.67.222.222 and 208.67.220.220. Even google NS are down it seems. Heroku works after switching to opendns.

If you&#x27;re having issues with people accessing your running Heroku apps, it&#x27;s likely because you&#x27;re running your DNS through herokussl.com (with their SSL endpoint product) which is hosted on Dyn.<p>If you can update your DNS to CNAME directly to the ELB behind it, it should at least make your site accessible.

Just to be clear, this is a DDoS against Dynect&#x27;s NS hosts, right?<p>I&#x27;m confused because of the use of &quot;dyn dns&quot;, which to me means dns for hosts that don&#x27;t have static ip addresses.<p>I&#x27;m actually surprised so many big-name sites rely on Dynect, which I hadn&#x27;t heard of, but more importantly don&#x27;t seem to use someone else&#x27;s NS hosts as 2nd or 4th entries.

Twitter and Github are still down here in LA (and confirmed on isup.me)

OpenDNS servers seem the only ones that still work. Kudos.<p>It may not be the proper action but this kind of soft-fail scenario (use the old DNS until you can contact the DNS servers and get new ones) is much better.<p><pre><code> echo &quot;nameserver 208.67.222.222&quot; | sudo tee -a &#x2F;etc&#x2F;resolv.conf</code></pre>

AWS says &quot;We are investigating elevated errors resolving the DNS hostnames used to access some AWS services in the US-EAST-1 Region.&quot; Is that coincidental, or are they being DDoSed also?

Anyone else spend the morning thinking the problem was their setup? I&#x27;ve been flushing my system DNS cache, Chrome&#x27;s DNS cache, changing DNS servers, rebooting my router, turning VPN on&#x2F;off, etc.

I&#x27;ve been singing the praise of AWS Route53 for a long time, they up and running. I can&#x27;t believe major multi-million dollar companies (Twitter, GitHub, Soundcloud, Pagerduty) would not run a mix of multiple DNS providers.<p>Also what is happening is a cascade effect, where a 3rd party being down effects others.

OpenDNS DNS Servers (208.67.222.222 and 208.67.220.220) are still resolving websites while my typical fallback to 8.8.8.8 is not.

Twitter, Reddit, wow. I was so confused for a moment. Thankfully HN is here to explain.

Seems to be impacting POPs in US East most severly. We use Ripe Atlas to assess the impact of DNS outages, and in the past hour have measured about 50-60% recursive query failure from a few hundred probes in that region: <a href="https:&#x2F;&#x2F;cloudharmony.com&#x2F;status-for-dyn" rel="nofollow">https:&#x2F;&#x2F;cloudharmony.com&#x2F;status-for-dyn</a>

Is it time for everyone to actually start using secondary name servers&#x2F;DNS resolvers too from a different provider from primary? DNS _is_ built for this, for the very purpose of handling failure of the primary resolver, isn&#x27;t it? Just most people don&#x27;t seem to do it -- including major players?<p>Or would that not actually solve this particular scenario?

Heroku also seems to be affected. I&#x27;m getting this when I run &#x27;heroku status&#x27;:<p>&gt;&gt; We are seeing a widespread DNS issue affecting connections to our services both internally and externally.

For me redirecting my DNS to Google public DNS 8.8.8.8 and 8.8.4.4 did the trick.

There&#x27;s a bit of exquisite irony in the fact that just <i>yesterday</i> an article on the Dyn blog was:<p>Recent IoT-based Attacks: What Is the Impact On Managed DNS Operators? - <a href="http:&#x2F;&#x2F;hub.dyn.com&#x2F;traffic-management&#x2F;recent-iot-based-attacks-what-is-the-impact-on-managed-dns-operators" rel="nofollow">http:&#x2F;&#x2F;hub.dyn.com&#x2F;traffic-management&#x2F;recent-iot-based-attac...</a><p>It&#x27;s a good piece about how IoT-based DDoS attacks are carried out. And now Dyn has the answer...<p>HN thread about that article at: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12764650" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12764650</a>

Is Zendesk being affected? Their status page is reporting external DNS provider is having DNS issue [1] and most of their sites are being affected.<p>[1] <a href="https:&#x2F;&#x2F;status.zendesk.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;status.zendesk.com&#x2F;</a>

Microsoft&#x27;s visualstudio.com&#x27;s build servers fail to resolve Github and New Relic. So much for my Friday night deploy to staging.

Is it really an internet wide outage?<p>Only 2 of the points in the US are affected on <a href="https:&#x2F;&#x2F;www.whatsmydns.net&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.whatsmydns.net&#x2F;</a> for the domains we&#x27;ve got on Dyn - same for Twitter etc

Other HN threads on related articles:<p>Krebs on Security: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12761859" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12761859</a><p>NY Times: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12765652" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12765652</a><p>Bloomberg: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12763501" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12763501</a><p>Dyn: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12764650" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=12764650</a>

Any quick script to see if a given domain ultimately resolves to them? My SaaS company has a lot of custom domains from whatever DNS servers pointed at us and I&#x27;d like to be able to tell people whether it&#x27;s our fault or not.

Let&#x27;s assume, that foreign countries such as Russia or China would be trying to sabotage our elections on Nov 8th night. What are the severe economic and political backlash that we can deal with if we cut off the traffic coming in from those region (not in a &quot;we control the internet&quot; kinda way)? I am sure they already have nodes operating within the USA. A lot of major tech companies use CDNs that can still serve traffic globally to the consumers of those countries. Even better, how about we regulate and slow down all of incoming traffic for say half day on election day? Is it even possible?

Almost every website I visit except HN seems to be down...

Dyn reporting another attack started at 15:52 UTC.

The great irony: <a href="http:&#x2F;&#x2F;www.isitdownrightnow.com&#x2F;yesware.com.html" rel="nofollow">http:&#x2F;&#x2F;www.isitdownrightnow.com&#x2F;yesware.com.html</a>

DNS was designed so that you can have multiple operators for your authoritative name servers.<p>Who would have thought adding a spof to your infrastructure would ever be a problem?

Is it just me or are these kind of attacks becoming way more frequent recently? This kind of widespread outage seems so new, but again, that might just be me.

Damn, I&#x27;ve spent the past 30 minutes trying to update my DNS and playing with my router config! :)<p>No GitHub, well, it&#x27;s gonna be a fun Friday...

They should do it once a year and call it Friday without Internet Day.

In (well, after) attacks like this, and really any other massive DDOS, shouldn&#x27;t it be possible to identify potential botnets and try to take them out (notify their owners that they&#x27;re being used, notify their hosting providers, etc) so that they can&#x27;t be used again in the future?

Quick question for you all. Just two days ago I registered two domain names at dynu (not dyn). Early this morning I a cold call from a company in India who knew the domain names and my phone number and was calling to ask if I wanted them to help me manage my website cheaply. Also, this morning I got a spam text from someone who claimed to by godaddy offering the same thing. Now I protect my number really well so this is the first time in 5+ years that I ever got spam texts or calls to my number. Do you think Dynu was also hacked?! Or maybe Dynu sells client numbers (which is how the guy in India claimed to get my number) and it was just by random chance that this happened at the same time as the Dyn hack.

I&#x27;ve been having the same problem accessing github in particular. Just for fun, I opened the Opera browser and activated the built-in VPN. That got everything going again. At least for browsing, not so useful for my git pulls and pushes.

Can someone explain why this is so bad? I think the internet handled the downtime of Dyn pretty great, not reaching github wasn&#x27;t exactly pleasing, but i added the ip temporary to &#x2F;etc&#x2F;hosts and the problem was solved. Isn&#x27;t the best strategy to accept that attacks will continue and systems may go down and design for resilience? If so this attack can serve as a warning and as a check that we can handle these types of attacks. I am a bit exaggerating, but i would imagine that constant attacks keep the internet resilient and healthy. An unchallenged internet may be the greater risk.

We were affected @WSJ as well.

The DDoS problems, at least those not related to spoofing IPs, could be curtailed if we provide a strong incentive to the ISPs to work on it.<p>Let&#x27;s hold the ISPs financially liable for the harmful traffic that comes from their network. If a client reports a harmful IP to the ISP, every bit of subsequent traffic sent from that IP to this client carries a penalty.<p>Yeah, I know, routing tables are small, yada yada. If we put thumbscrews to the ISPs they will find a way to block a few thousands IPs of the typical botnet, even it requires buying new switches from Cisco &amp; co.<p>Incentives drive behavior.

Semi related: I noticed this incident right when it began, but not because I was trying to access a website. This started happening to me: <a href="http:&#x2F;&#x2F;imgur.com&#x2F;PPlaY5o" rel="nofollow">http:&#x2F;&#x2F;imgur.com&#x2F;PPlaY5o</a><p>Then when I went to push to github out of fear my computer was about to soil itself, that failed too, and I noticed the outage.<p>Does anyone know if the above errors could be related to the outage? I&#x27;m using vim inside tmux with zsh as my shell. Maybe zsh does some kind of communication with gh while running?<p>I restarted my computer and it&#x27;s still happening

Anyone know any details of what the attack looks like ? I had a quick look in my (albeit small) network to look for odd flows going to their ASN33517, but didnt see much that looked odd on first glance...

I&#x27;ve managed to (seemingly) save my browsing with Yandex DNS:<p><pre><code> 77.88.8.8 77.88.8.1 </code></pre> <a href="https:&#x2F;&#x2F;dns.yandex.ru" rel="nofollow">https:&#x2F;&#x2F;dns.yandex.ru</a>

Need to get in to dyn.com to download your zone files add this to your hosts file: 204.13.248.106 www.dyn.com 204.13.248.106 dyn.com 216.146.41.66 manage.dynect.net 151.101.33.7 static.dyn.com

While my app isn&#x27;t resolved using DYN, we are relying on APIs on our EC2 backend that use their DNS. Is there a Linux DNS caching server that will serve from a local cache primarily, and do lookups in the background instead to update the local cache? During the period DYN was down, it would&#x27;ve continued severing from the local cache and retried the background lookups, keeping my app up. I can also see it improving performance as my servers currently do lookups to the EC2 DNS on each http request...

It is spreading to other DNS providers, too: <a href="https:&#x2F;&#x2F;status.fastly.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;status.fastly.com&#x2F;</a><p>www.ft.com is unreachable for example.

Third attack underway: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;AlexJamesFitz" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;AlexJamesFitz</a> (as of 10 mins ago)

No idea if this would work, but could people theoretically just ping flood the IOT devices involved to mitigate the attack?<p>They run some sort of web server since most devices provide some web interface, so clearly there&#x27;s a port open which could be hit if the IP is know, and with the shoddy security in these devices I&#x27;d wonder if their local (likely low performance) hardware would be susceptible to something as simple as a ping flood attack.

Boulder here. Can&#x27;t resolve Wufoo or PayPal using 8.8.8.8

I thought DNS (particularly public) was basically immune to DDoS?<p>If one DNS server is down, use the cached result or another server.<p>DNS is some of the most distributable, cachable data I can imagine.

Surprised to see so many big names relying on a single provider. DNS is designed to be distributed, it should be possible to avoid a single point of failure.

For people in need of the IPs for their respective services. You can find them here: ipaddress.com or any of the other similar services

How can I, a proficient web developer but one with little experience working directly with its underlying infrastructure, help in whatever effort is being down to thwart this and related attacks? I feel a moral obligation to help as these attacks seem a grave threat to our economy and could cause unrest given the current political climate. Thanks.

<a href="https:&#x2F;&#x2F;cloudharmony.com&#x2F;status-for-dyn" rel="nofollow">https:&#x2F;&#x2F;cloudharmony.com&#x2F;status-for-dyn</a> is now (12:43pm EDT) showing Dyn&#x27;s &quot;US East&quot; and &quot;US West&quot; centers as being down. Anyone know anything about this Cloudharmony service? How often does it update? and what is it monitoring?

At work earlier we was seeing hostname resolution errors with applications trying to contact amazon s3 from on premises infrastructure.<p>This was in eu-west-1, but it coincided with a bunch of other systems in the organisation having problems at the same time.<p>Additionally CloudWatch logs seemed to be completely broken for about 30 minutes on the Amazon Console.

Here&#x27;s how to add static mappings temporarily to survive through the outage:<p><a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;sysadmin&#x2F;comments&#x2F;58o5mp&#x2F;dyn_dns_ddos_pt_2&#x2F;d923yvw&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;sysadmin&#x2F;comments&#x2F;58o5mp&#x2F;dyn_dns_dd...</a>

And there is no twitter to tweet about it!!!

Currently I am able to get into every site on the web, including GitHub, by using a VPN service based in Hong Kong.

Those distributed alternatives look better everyday... if only there was a working group and a transitional path.

Hmm... Seems to be quite widespread. Some of our Amazon AWS services (located in the US) that rely on SQS are reporting critical errors. Intercom.io is also down at present, which we use for support for our web apps. Not looking very good from here (in Australia).

I&#x27;m getting DNS errors on my PS4 when trying to download stuff, I guess it&#x27;s related!

So I had hardcoded my DNS server to googles, aka:<p><pre><code> dig @8.8.4.4 github.com +short </code></pre> I was not getting an answer.<p>However using my routers&#x2F;dhcp&#x2F;ISP to set my DNS server, I am able to get answers:<p><pre><code> dig github.com +short 192.30.253.112</code></pre>

I&#x27;m curious. What kind of infrastructure you need to make this massive attack?

This may be dumb, but someone enlighten me:<p>If this kind of attacking does escalate, wouldn&#x27;t it be possible to simply cut off requests from outside the United States at the points of entry? Basically, turning the US into an intranet?

What this event shows is that using DNS as a load routing&#x2F;balancing mechanism is a bad idea (because that&#x27;s why folks have low TTL and an inability to specify truly redundant secondaries).

Not sure if related but circleci.com is down for us do to a &quot;DNS issue&quot; !

Interesting. Lots of sites have been down for me, here in Mexico City. Twitter. Github. Loads of other random sites. When I turned on my US based VPN. It all started working again.

Why is there even a concept of managed DNS ? Arnt we already paying &gt;$1M&#x2F;yr so that we can get 32 bit integer from a string ? This does not make sense.

How come you can access these sites from some countries? I imagine there are lots of name servers and that the attackers are specifically targeting servers for US?

It&#x27;s a strange coincidence that Hover DNS was down for same reason a week ago.<p><a href="http:&#x2F;&#x2F;hoverstatus.com" rel="nofollow">http:&#x2F;&#x2F;hoverstatus.com</a>

Looks like github and braintree both got AWS dns servers mixed in about the same time. Did they both switch over or is Dyn working with AWS on this?

How many DNS services ala Dyn exist? Is it not still massively significant that a successful attack can be launched on even one of these?

Twitter and GitHub is down on Scaleway (AS12876) and Tiktalik (Warsaw, Poland, Europe, AS198717) network too (no response from dynect.net).

Highrise seems to be having problems, as seen by email errors when we forward email to Highrise dropboxes.

Heroku is still having problems as well

Here in Brazil things are pretty slow.<p>&quot;Oh, maybe its our shitty ISP screwing up everything again.&quot;<p>No, it&#x27;s in a bigger scale.

Github does not work for 100% the time

Github is currently inaccessible. Can you still compile Rust programs that depend on Github files?

Explains why the Heroku API is down.

Don&#x27;t be a dick. I&#x27;m sure their staff has a giant collective migraine right now.

What other providers would you recommend than Dyn? Route53? Cloudflare? Something else?

Reposting imglorp&#x27;s comment on the root of the comment tree, as it&#x27;s buried currently. This should restore service for those desperately needing to access Github etc ;)<p>&gt; ....point your machine or router&#x27;s DNS to use opendns resolvers instead of your regular ones: 208.67.222.222 and 208.67.220.220

I am very surprised this is not getting that much attention on national news.

Fascinating weak spot!

Looks like at least some of it is resolved. spotify is back

You can add Netflix to the list.<p><pre><code> GET https:&#x2F;&#x2F;art-s.nflximg.net net::ERR_NAME_RESOLUTION_FAILED GET https:&#x2F;&#x2F;assets.nflxext.com net::ERR_NAME_RESOLUTION_FAILED</code></pre>

Anyone having any issues with WhatsApp? Mobile text seems to work fine but all images fail, Desktop &amp; web browser aren&#x27;t connecting at the moment (west coast)

Using Google Public DNS fixed things for me.

Github doesn&#x27;t work again for me :(

Why not use:<p>OpenDNS - recursive DNS<p>Cloudflare (DNS only) - authoritative DNS<p>Both services are free and distributed across the world.

PayPal, Braintree, Spreedly down. Some companies are going to lose money today...

and its down again

and the attacker are back. DDoS v2 is here

github.com seems to be down because of this.

Shopify is down

Oo oo, I know! Iran did it!

CNN.com is knocked out by this attack as well. I could see that as a useful target.

Must be trying to stop the latest Julian Assange leak.

The Internet is so resilient. LOLz.

I&#x27;d like to see proof of this attack from an outside network observer.<p>Is it possible the government could force a DNS provider to pretend to fall victim to a DDoS attack, as a form of a false flag cyber attack?

Why does it always have to be a &quot;Nation State&quot;, have been hanging out with 17 year old&#x27;s that knew far more about DNS configs than a room of &quot;Cyber-Security-Professisonals&quot;, they were clueless, these kids could run circles around them.<p>Kids.

USA cyber defenses are NOT up to the task of defending our critical electronic infrastructure. Letting every company that runs critical services decide their own security posture is not scalable and has left us vulnerable. While no one is getting hurt, we are taking cyber missile hits from our enemies and eventually the damage will be worse. Other countries with more central controls will be less vulnerable than we are to crippling infrastructure take downs.