21
Oct 16

DDoS on Dyn Impacts Twitter, Spotify, Reddit

Criminals this morning massively attacked Dyn, a company that provides core Internet services for Twitter, SoundCloud, Spotify, Reddit and a host of other sites, causing outages and slowness for many of Dyn’s customers.

Twitter is experiencing problems, as seen through the social media platform Hootsuite.

Twitter is experiencing problems, as seen through the social media platform Hootsuite.

In a statement, Dyn said that this morning, October 21, Dyn received a global distributed denial of service (DDoS) attack on its DNS infrastructure on the east coast starting at around 7:10 a.m. ET (11:10 UTC).

“DNS traffic resolved from east coast name server locations are experiencing a service interruption during this time. Updates will be posted as information becomes available,” the company wrote.

DYN encouraged customers with concerns to check the company’s status page for updates and to reach out to its technical support team.

A DDoS is when crooks use a large number of hacked or ill-configured systems to flood a target site with so much junk traffic that it can no longer serve legitimate visitors.

DNS refers to Domain Name System services. DNS is an essential component of all Web sites, responsible for translating human-friendly Web site names like “example.com” into numeric, machine-readable Internet addresses. Anytime you send an e-mail or browse a Web site, your machine is sending a DNS look-up request to your Internet service provider to help route the traffic.

ANALYSIS

The attack on DYN comes just hours after DYN researcher Doug Madory presented a talk on DDoS attacks in Dallas, Texas at a meeting of the North American Network Operators Group (NANOG). Madory’s talk — available here on Youtube.com — delved deeper into research that he and I teamed up on to produce the data behind the story DDoS Mitigation Firm Has History of Hijacks.

That story (as well as one published earlier this week, Spreading the DDoS Disease and Selling the Cure) examined the sometimes blurry lines between certain DDoS mitigation firms and the cybercriminals apparently involved in launching some of the largest DDoS attacks the Internet has ever seen. Indeed, the record 620 Gbps DDoS against KrebsOnSecurity.com came just hours after I published the story on which Madory and I collaborated.

The record-sized attack that hit my site last month was quickly superseded by a DDoS against OVH, a French hosting firm that reported being targeted by a DDoS that was roughly twice the size of the assault on KrebsOnSecurity. As I noted in The Democratization of Censorship — the first story published after bringing my site back up under the protection of Google’s Project Shield — DDoS mitigation firms simply did not count on the size of these attacks increasing so quickly overnight, and are now scrambling to secure far greater capacity to handle much larger attacks concurrently.

The size of these DDoS attacks has increased so much lately thanks largely to the broad availability of tools for compromising and leveraging the collective firepower of so-called Internet of Things devices — poorly secured Internet-based security cameras, digital video recorders (DVRs) and Internet routers. Last month, a hacker by the name of Anna_Senpai released the source code for Mirai, a crime machine that enslaves IoT devices for use in large DDoS attacks. The 620 Gbps attack that hit my site last month was launched by a botnet built on Mirai, for example.

Interestingly, someone is now targeting infrastructure providers with extortion attacks and invoking the name Anna_senpai. According to a discussion thread started Wednesday on Web Hosting Talk, criminals are now invoking the Mirai author’s nickname in a bid to extort Bitcoins from targeted hosting providers.

“If you will not pay in time, DDoS attack will start, your web-services will
go down permanently. After that, price to stop will be increased to 5 BTC
with further increment of 5 BTC for every day of attack.

NOTE, i?m not joking.

My attack are extremely powerful now – now average 700-800Gbps, sometimes over 1 Tbps per second. It will pass any remote protections, no current protection systems can help.”

Let me be clear: I have no data to indicate that the attack on Dyn is related to extortion, to Mirai or to any of the companies or individuals Madory referenced in his talk this week in Dallas. But Dyn is known for publishing detailed writeups on outages at other major Internet service providers. Here’s hoping the company does not deviate from that practice and soon publishes a postmortem on its own attack.

Update, 3:50 p.m. ET: Security firm Flashpoint is now reporting that they have seen indications that a Mirai-based botnet is indeed involved in the attack on Dyn today. Separately, I have heard from a trusted source who’s been tracking this activity and saw chatter in the cybercrime underground yesterday discussing a plan to attack Dyn.

Update, 10:22 a.m. ET: Dyn’s status page reports that all services are back to normal as of 13:20 UTC (9:20 a.m. ET). Fixed the link to Doug Madory’s talk on Youtube, to remove the URL shortener (which isn’t working because of this attack).

Update, 1:01 p.m. ET: Looks like the attacks on Dyn have resumed and this event is ongoing. This, from the Dyn status page:

This DDoS attack may also be impacting Dyn Managed DNS advanced services with possible delays in monitoring. Our Engineers are continuing to work on mitigating this issue.
Oct 21, 16:48 UTC
As of 15:52 UTC, we have begun monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Our Engineers are continuing to work on mitigating this issue.
Oct 21, 16:06 UTC

Tags: , , , , , , , , , , ,

175 comments

  1. 1.) I highly appreciate shane’s helpful posts.(and not the trolling of the knowbetter’s)
    2.) I also appreciate BK’s research into the underwear of these naughty kids.
    3.) I am sitting here waiting for the bust and the publication of the indictment.
    4.) I am waiting for news from Israel regarding the 2 kids released on bail.

    • “3.) I am sitting here waiting for the bust and the publication of the indictment.”

      While you’re waiting, be sure to continue breathing, eating and sleeping. You may be waiting a long time and there may never be an indictment.

  2. I am not a network expert. I have been reading Krebs for a long time however. I read frequently about other cybercrimes and the emmense quantity of monetary loss from financial insitutions and read daily about data theft.

    If the internet was a physical lock.. it would be declared defective. Nobody would install a lock on their vault with the same record as the internet.

    Nice try I say. It was fun.. But the current internet is a complete failure when comes to security. It shouldn’t be this hard to remain secure, and it shouldn’t be this hard to access Playstation Network, which is down monthly from ddos attacks.

    What the world needs is Internet 2.0. I respect the work so many people have done.. but like any complex piece of software (I am a non-network programmer) you eventually reach a place where you admit, no amount of patching is going to fix your product..

    It’s time for a complete rewrite.

    • Agreed. The way forward is to use the architecture of the public switched telephone network (PSTN) in conjunction with broadband transmission, circuit-switched with time-division multiplex (TDM) rather than packet-switched, and with a 12-digit geographically fixed numbering plan plus three-digit country codes, and with four-digit extensions for customer premises devices. Think ISDN with expanded numbering space and high bandwidth.

      Yes this will still enable Netflix and online gaming, since those things appear to be more important to “consumers” than whether their bank accounts get cleaned out or the power grid gets taken down. The difference being that bank accounts won’t be getting cleaned out by the millions, and critical infrastructure won’t be vulnerable to sociopaths.

      It will also put an end to spam, domain name squatting, DDoS attacks, phishing, and a host of other evils spawned by the present Ayn Randian dream turned nightmare.

      Hobbyist infrastructure and libertarian grudges against government, do not a vital utility make. It’s time to get serious.

      • Are you serious? You want to ditch packet switched networks and go back to the way we had (still have in some cases) data transferred in the past? Using TDM will do nothing for security and will further complicate the way data flows.

        We had ISDN and TDM based internet connections as a standard back in the 90’s, and ya know what? They were still connected to routers that could have been vulnerable. Good luck trying to get AT&T or any ISP to extend their support for TDM based technologies. They are trying to ditch DS1/DS3’s as quickly as possible. Most ISP’s don’t even offer true TDM networks anymore. It is a TDM to fiber handoff that the ISP uses packet based switching on the backend to route.

        The security needs to come in common sense management of devices that are plugged in the internet. Coding that doesn’t suck and wasn’t produced by companies paying developers pennies on the hour. The standardization and an ease of use for DNSSEC.

        Your suggestion of rolling back the clock is just unrealistic sir.

    • lol really, the NSA/america are the reason it insecure in first place and if there was a rewrite they would insist on having backdoors rendering it insecure while theres NSA and other state based security apparatus the net wont be secure.
      they will make sure of it by hook or by crook

    • The new Internet is already being built. It’s called web3.0 (not 2.0–you’re already on web2.0). Search web3.0 and check out the Ethereum blockchain.

      • You mean an infrastructure that gets hard-forked every few weeks and where “the code is the contract” only applies as long as nobody actually uses it to that effect?

    • Mynne,

      With all due respect, I think what you are advocating ain’t gonna happen. I look at how much trouble we’re having migrating the entire planet to IPv6, and I just despair. Furthermore, a lot of those IoT devices have no way to be updated, so if we tried to do as you suggest, those IoT thingys would still be out there, and there would have to be some backwards compatibility functionality, which could still be exploited. Furthermore, look at how much trouble we have getting the ISPs to implement RFC 3704 or BCP 84. It seems the ISPs have no trouble filtering content from their competitors, but they don’t have the cycles to stop packets from Mars.

      However, you’re not the first person who has suggested re-writing the Internet to make it more secure. So, and I really want to bend over backwards not to sound rude, because that’s not my intent at all, if you could re-write the internet to make it more secure, how would you do that? Would widespread adoption of IPsec be sufficient for you? Do you have something else in mind?

  3. norse attack map was down as well

  4. For those of you interested to know more about other actors connected to VDOS, we wil be releasing information about other stressers including booter.xyz, stressit.org in the next days at http://www.spoofit.org

    We just recovered from a 36h non stop denial of service attack but the stories will keep flowing.

  5. Consider this: What will happen if a similar or larger attack occurs between November 7th and 9th?

  6. I was just at the #ISACA #CSXNA 2016 conference and heard your speach. The entire conference was fantastic. What I’m about to say is probably not new but I’ll put it on here anyway. I tell my students “Data is the new currency.” This is my personal quote. Taking the topics from the #CSXNA 2016 here’s my take: we have #FIRMWARE in many of these devices that dates back to the late 90s. We have kids that can get Raspberry Pi’s v.3 with wired and wireless connectivity and they’re curious, excited, smart, and tech savvy. We have an #ICS, #SCADA, #SMARTGRID technology power system which is IP addressable that is virtually open to the public. We have state sponsored players and crime syndicate players who know these things also. And we have a school, college, and university system of education stuck in the 1980’s where these students are board stiff and disillusioned. Finally this is the second or third attack if I’m not mistaken. Now look at the US attack map. See a pattern? It hit the upper east coast, then the Nevada and CA area. Anyone remember last year’s brutally cold winter on the east coast? Anyone remember where they had to draw extra power from to support keeping the east coast going and people warm? Anyone see a pattern here? Just my thoughts. Jump in anyone at anytime to pose an alternative view point. Universities/Colleges/K-12 HAVE to come down out of their Ivory Towers and get in the trenches with the rest of us so we can work together to start utilizing the innate talent in these next generations so we can protect and defend our nation and those of other nations who are fighting the same battles.

  7. lot of smaller sites whose dns was handled by them affected too.
    I have host file so my sites always resolve for me but for others they were down.
    pingdom alerter kept bugging me yesterday

  8. Do you known Chinese?
    先生/女士:
    你好!很抱歉听闻你们公司遭到 DDoS攻击。我在中国从事僵尸网络监控的,我们在北京时间”2016-10-21 23:48:17″监控到,来自你的国家(美国)境内的C2,对美国进行DDoS攻击,我不知道对公司网络的IP范围,所以特意向先生你确认{“ID”: 37, “Time_Modify”: “2016-10-21 23:48:17”, “Time_Create”: “2016-10-21 23:48:17”, “Threat_Name”: “Trajon/Linux.Mayday”, “C2_IP”: “205.164.……”, “C2_Port”:……, “C2_Domain”: “”, “Command_Type”: “DDoS”, “Atk_Detailed”: {“Atk_Time”: “10s”, “Payload_Size”: 75, “Reserve”: “”, “Num_threads”: 1, “Atk_Count”: 1, “Atk_Type”: “tcp flood”, “Atk_Info”: [{“Atk_Domain”: “”, “Atk_IP”: “104.223.133.43”, “Atk_Port”: 80}]}}
    {“ID”: 38, “Time_Modify”: “2016-10-21 23:48:17”, “Time_Create”: “2016-10-21 23:48:17”, “Threat_Name”: “Trajon/Linux.Mayday”, “C2_IP”: “104.37……”, “C2_Port”: ……, “C2_Domain”: “”, “Command_Type”: “DDoS”, “Atk_Detailed”: {“Atk_Time”: “10s”, “Payload_Size”: 75, “Reserve”: “”, “Num_threads”: 4, “Atk_Count”: 1, “Atk_Type”: “tcp flood”, “Atk_Info”: [{“Atk_Domain”: “”, “Atk_IP”: “104.223.133.43”, “Atk_Port”: 80}]}}
    或者你也可以提供你们IP给我们,让我们对我们的监控数据进行匹配查询
    PS:也是想证明,攻击你们网络的幕后C2并非,来自我们国家
    如果回复,请发信至1483122458@qq.com,谢谢!
    祝君 顺利平安!

    • I can’t read Chinese, but I have access to something called Google Translate. I’m not going to post the translation because this appears to be spam.

      Brian, I would delete the comment.

      • Hi Bruce Hobbs!Thanks for your delete the comment,but I want to say it is not spam!It is my botnet of auto monitor data, please respect my achievements,thank you!

  9. What I find particularly interesting and ironic is that DYN’s status page (dynstatus.com) has DNS for its domain hosted by HE.NET. As a result, when DYN’s so-called DNS infrastructure was being DDoS’d, their status page remained resolvable.

    This lead me to reflect on the original silicon-valley days when these “DNS infrastructure” companies were first coming into vogue, and I resisted (and resented) their marketing via fear-mongering and scare tactics. In my opinion, the basic anycast DNS services these companies provide are no better than, if not inferior to, the free DNS services HE.NET provides anyone who wishes to sign up for it. In fact, third-party performance stats indicate that he.net’s free (as in zero cost) DNS offering is among the top three, performance-wise.

    Which just confirms my belief that the old adage of “you get what you pay for” falls apart when whimsical technology is involved.

  10. Insanity Repeated

    We can’t rely on users to secure their equipment. We keep preaching ‘security’ but the average Joe has no idea what we are talking about, or don’t care. Security MUST be baked into everything with a MAC. Everything! Set complex passwords on first power-up. Encryption enabled before connecting to anything automatically. If we expect users to ‘get it’ we really are doing the same thing over and over while expecting a different result.

  11. What if we configure to reply all unknown prefixes with 127.0.0.1? Will that help in DNS Water Torture Technique?

  12. Brian,
    Do you have any exact information on why bgp routes changed heavily during the Dyn DDoS attack? Is it by Dyn self healing or is there any simultaneous hijacking attempt?
    https://stat.ripe.net/widget/bgplay#w.resource=208.78.70.16

  13. Interesting read, we recently discussed online privacy on our latest podcast episode. Let us know what you think.

    http://onearmedpushup.libsyn.com

  14. Yes, there are some things users can do to reduce the chances their IoT devices are used in DDoS attacks, but laying the blame solely on them is like blaming drivers for accidents caused by manufacturing defects in their car’s brakes. Analysis here: http://realmofvincent.com/2016/10/23/how-responsible-are-consumers-for-the-insecurity-of-iot/

  15. The DDoS attack against Dyn last Friday was by no means the first one Dyn has reported. The logs from https://www.dynstatus.com/ show 94 occasions when a DDoS was attempted; the most recent before Friday was on Monday 17th.

    What sets this one apart seems to be the size of the attack and its impact on heavily-used websites and services. If Twitter had not been affected would this have received as much publicity?

  16. Financial dis-incentives for security in IoT devices vs. Set Top boxes and smart meters:
    Turns out that there are NO financial incentives for companies to have strong security in IoT devices.
    Once a device is shipped, the customer and the manufactures only care if the device works, not if it can be used to attack other nodes. Secure login, secure boot, secure installation, design and code verification, vulnerability testing, etc. all get in the way of quick development/manufacturing and shipment.

    These IOT companies simply don’t care about security: there is no forcing function.

    OTOH, setup boxes had to be secure because pirated content would result in lost revenue for Dish and Direct TV (the two companies I did security work for).

    Similarly, smart meter security has become a requirement (I ran North America product security for Itron), because electricity/gas/water could be stolen, service interruption could even kill people on life support, etc. i.e. there was a direct correlation between the impact on the customer, manufacture and the service provider.

  17. How big was the DDoS attack on Dyn from 21st October 2016… Can’t seem to find it anywhere… I am guessing that it’s much bigger than 662gbps that hit your site… Can you put a number on it??

  18. While I understand that http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/ on 10/22 by Dyn Chief Strategy Officer Kyle York is just that, a “statement,” the claim:

    “service was restored at approximately 1:00 pm ET. [17:00 UTC]… While there was a third attack attempted, we were able to successfully mitigate it without customer impact”

    seems not to be supported by Dyn’s own incident timeline at https://www.dynstatus.com/incidents/nlr4yrr162t8 appears to show issues until at least 22:00 UTC?

    OpenDNS’s SmartCache makes sense to me (since my first thought after learning this was DNS lookup related was creating a cache table of my own).

    However, I wonder how OpenDNS (and others, like OpenNIC) would fare if targeted?

  19. I agree with Insanity Repeated, and add that although security should be at the forefront of our thoughts, it is often in the closet. Virtually every person I know has pending Windows updates, has expired trial anti-virus, doesn’t use a firewall, and has the default PW set on there webcam. It’s kind of like you do not get a car alarm until you have a stereo stolen, but in the cyber world a lot more than a couple of items can get taken from your computer – from personal photos, to corporate secrets, to turning on your webcam. No body understands (except us few who live and breath security) until its too late.

    • Darren, I have black tape over both of my webcams except when in actual use, just in case a malicious user takes control and tries to look at my living room. It is not hard to anticipate almost any “reasonable” attack.

      But the DoS attack described here takes advantage of an unreasonable feature of the Internet: the insecurity of DNS lookups, which assume that everyone will cooperate and be reasonable. Such cooperation can’t ever be assumed in 2016 or beyond.

      The Internet needs to be redesigned so that malicious use is made more difficult and made better traceable. A few more security bits here and there to enforce these features would not increase cost much, but would make life easier. Imagine being able to publish email addresses in the clear without fear of spamming. That would be easy through assymmetric encryption and/or signing on each email message. A few more bits to point at a public key and security is dramatically better.

  20. Trying to buy a DVR 16 for a company CCTV system right now is tricky!

    Can’t buy AVTech…
    http://www.zdnet.com/article/thousands-of-dvrs-could-be-drafted-into-the-next-iot-botnet/

    …or Swann…
    https://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-internet-of-things/

    …KGuard & lots of others related to Swann have had insecurities so ruled out…
    http://www.theregister.co.uk/2013/01/29/cctv_vuln/

    Running out of options here

  21. In your blog “21 DDoS on Dyn Impacts Twitter, Spotify, Reddit” you state, “Anytime you send an e-mail or browse a Web site, your machine is sending a DNS look-up request to your Internet service provider to help route the traffic.”

    As you know this is incorrect. DNS data associated with browsing is usually cached at several levels, so the lookup of a popular domain name would most likely be satisfied right in the local computer system’s implicit DNS server or HOSTS file, and if not, only then in the Internet Service Provider’s DNS server.

    This DoS attack was not caused by browsing, as you explained in detail already.

  22. This is way better than a brick & mortar esanhlisbmett.

  23. Exactly. I break down the game into every single one of its individual components and analyze them. I’m not writing a lot about one thing, but rather a little bit (well, I consider 2-4 paragraphs to be “a little bit,” anyway). I leave no stone unturned. All my major Halo-themed articles are like this, from this one to my “Open Letter to Bungie” from 2006 to my reviews of Halo 3, ODST, and Reach. Each weapon, each enemy, each aspect of the core gameplay and all the extra features and other miscellany gets its turn to be dissected. That’s how I roll.

  24. By February 6, 2013 – 6:38 amI’m truly enjoying the design and layout of your site. It’s a very easy on the eyes which makes it much more enjoyable for me to come here and visit more often. Did you hire out a designer to create your theme? Excellent work!