Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Dyn.com DDoS Attack - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dyn.com DDoS Attack

Dyn.com, a popular dynmic DNS provider and provider of commercial managed DNS services is currently experiencing a massice DDoS attack. As a result, many sites that are using Dyn.com's services are experiencing issues. 

Affected are not just home/hobby sites that traditionally use dynamic DNS services, but also large "name brand" sites that use Dyn.com's managed DNS service. For example Twitter, Spotify, Etsry, Github and others (domains hosted by Dyn.com often use *.dynect.net name servers)

You can find status updates from Dyn.com here: https://www.dynstatus.com

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Johannes

2835 Posts
ISC Handler
I don't have any IOT gadgets to exploit, but clearly lots of people do. Please have one of your experts write a tutorial about how homeowners or small businesses can use their firewall or router to block out-bound, inappropriate, traffic from IOT crap they have on their network. Obviously this needs to evolve to be more effective, but what can we do NOW?
Bill

1 Posts Posts
The scale of this is quite astounding; it's even reached mainstream news media as a banner article: http://www.cnbc.com/2016/10/21/major-websites-across-east-coast-knocked-out-in-apparent-ddos-attack.html
amcgregor

8 Posts Posts
That is the price we ar paying for the concentration in internet business...
Anonymous

Posts
This is the price we are paying for the ongoing concentration among ISP's. Defense from DDOS need Distributed Internet Service Providers ...
Anonymous

Posts
Curious to know Dyn DNS setup. NSLOOKUP lists 7 name servers for Dyn. Are they using Anycast DNS, Geo DNS or other means to protect against attacks?

If a site is well protected, the attacker can still bring it offline by attacking the name servers.
Most company sites have anti-DDoS protection, but how well do they secure their DNS services?
Will we see more attacks via a company's DNS servers?

Something to think about...
Mike7

39 Posts Posts
Just for the record ...

Some of the affected sites "rely" on DYN, and some "use" DYN ...


CNBC.com nameserver = ns1.p24.dynect.net
CNBC.com nameserver = ns2.p24.dynect.net
CNBC.com nameserver = ns3.p24.dynect.net
CNBC.com nameserver = ns4.p24.dynect.net

Amazon.com nameserver = ns1.p31.dynect.net
Amazon.com nameserver = ns2.p31.dynect.net
Amazon.com nameserver = ns3.p31.dynect.net
Amazon.com nameserver = ns4.p31.dynect.net
Amazon.com nameserver = pdns1.ultradns.net
Amazon.com nameserver = pdns6.ultradns.co.uk

Twitter.com nameserver = ns1.p34.dynect.net
Twitter.com nameserver = ns2.p34.dynect.net
Twitter.com nameserver = ns3.p34.dynect.net
Twitter.com nameserver = ns4.p34.dynect.net

Spotify.com nameserver = ns2.Spotify.com
Spotify.com nameserver = ns3.Spotify.com
Spotify.com nameserver = ns4.Spotify.com
Spotify.com nameserver = ns5.Spotify.com

PayPal.com nameserver = ns1.p57.dynect.net
PayPal.com nameserver = ns2.p57.dynect.net
PayPal.com nameserver = pdns100.ultradns.net
PayPal.com nameserver = pdns100.ultradns.com
PayPal.com nameserver = ppns1.phx.PayPal.com
PayPal.com nameserver = ppns2.phx.PayPal.com

Netflix.com nameserver = ns-81.awsdns-10.com
Netflix.com nameserver = ns-659.awsdns-18.net
Netflix.com nameserver = ns-1372.awsdns-43.org
Netflix.com nameserver = ns-1984.awsdns-56.co.uk

Hmm. SPOTIFY (currently) has no reliance on DYN. Did they migrate away?
Anonymous

Posts
A number of customers did migrate away, including GitHub. I can't confirm Spotify specifically migrated DNS providers to mitigate, but it stands to reason.
amcgregor

8 Posts Posts
Besides using multiple DNS providers, any other best practices, such as the TTL value?
Steve

5 Posts Posts
see the "Briefing" article for a bit more about this. But TTLs are tricky. Long TTLs will limit the damage of a DDoS attack against your DNS service, but they can make it harder to mitigate an attack against your Web or Mail server. It is important to find the right balance. I don't think there is a "one size fits all" solution.
Johannes

2835 Posts Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!