On October 21, a Distributed Denial of Service attack on Dyn took many key web properties such as Twitter and Netflix offline. Here are some more details on the attack and the breadth of its impact.
Adding to the long list of major cyberattacks in 2016, a recent Distributed Denial of Service (DDoS) attack on internet performance management company Dyn left customers of several online properties without service on Friday, October 21.
Dyn is a DNS provider, meaning it helps direct domain names back to certain IP addresses for many major companies. During the attack, brands such as Twitter, Amazon, Reddit, Netflix, and more were without service multiple times during the day.
SEE: Cybersecurity Research 2016: Weak Links, Digital Forensics, and International Concerns (Tech Pro Research)
The Dyn DDoS attack will likely be regarded as one of the biggest DDoS attacks ever perpetrated, due to its broad impact. Here are some of the details surrounding the attack, and key takeaways on what businesses can learn.
1. Not just one attack
The DDoS attack on Dyn was actually a series of attacks that took place at different times throughout the day Friday, and affected different sets of customers. According to Dyn's official statement on the matter, it said it believes the attacks began around 7:00 a.m. Eastern time on Friday. The first attack affected East Coast customers only, and Dyn's Network Operations Center (NOC) team was able to stop the attack in about two hours.
After noon on that same day, the statement said, another attack occurred which affected customers on a global scale, although it didn't affect Dyn's entire network. Dyn was able to mitigate that attack in an hour, restoring service by 1:00 p.m. Eastern time. Attackers attempted a third attack, but it was stopped before it greatly affected any customers.
2. The attack was sophisticated
According to its formal statement, Dyn estimated that the attack involved "10s of millions of IP addresses," making it highly distributed and sophisticated. The full impact of the attack and all of the potential sources have not yet been determined.
The company is conducting an investigation, and promised updates when it has new information. However, it may never disclose all of the information regarding the attack. "It is worth noting that we are unlikely to share all details of the attack and our mitigation efforts to preserve future defenses," Dyn said in its statement.
3. IoT is to blame
While all of the potential sources have not yet been identified, Dyn confirmed, with help from Flashpoint and Akamai, that devices infected with the Mirai botnet were part of the attack. The Mirai botnet looks for certain Internet of Things (IoT) and smart home devices, such as those that are using default usernames and passwords, and turns them into bots to use in cyberattacks.
John Pironti, president of IP Architects, said that the Dyn attack highlights the fact that every new endpoint introduced, especially through IoT, presents a new threat.
"The use of IoT devices for recent DDoS attacks has shown how fragile and insecure many of these devices currently are," Pironti said. "The first use was for DDoS, but these same devices are likely to be used as entry points to the internal networks they connect to as well as they become more pervasive."
4. This isn't the end
While unique in its scale, the Dyn attack could act as a blueprint for smaller attacks as well. With the source code for the Mirai botnet getting released into the wild in early October, it could make it easier and cheaper for attacks like this one to be conducted. Using that code, or code from the Bashlight botnet, Pironti said that it will be significantly easier for these kinds of DDoS attacks to be perpetrated.
Bob Gourley, co-founder of the cyber security consultancy Cognitio and former CTO of the Defense Intelligence Agency, said that DDoS attacks are up 75% this year, and that the average size of these attacks is growing.
"Over 30% of DDoS attacks now reach over 10 Gbps in throughput, which is enough to swamp most any business," Gourley said. "The largest ones have reached over 600 Gbps in size, enough to swamp any infrastructure provider. The fact is that this kind of attack can be mitigated by good security practices, but only if there is broad action by citizens, businesses and governments."
5. The IoT industry needs stricter standards
One of the most salient points from the attack on Dyn is that it highlights the need for stronger standards and protocols for security in the IoT industry. According to Pironti, "We need to begin to hold IoT device manufacturers to the same standards of security that we hold operating system and application developers to in the tech world." If IoT vendors are allowed to produce products with known vulnerabilities, we will likely see more attacks like this one, he said.
"Citizens need to know how to patch and secure any device they use, or should find help from those that do know how," Gourley said. "Businesses need to configure networks to do ingress filtering using community best practices. Governments need to encourage network providers to continuously improve quality. One suggestion we make is for governments to put in place a grading mechanism like healthcare is graded."
- New US cybersecurity plan makes it easier for businesses to get help after an attack (TechRepublic)
- Thanks, script kiddies: 100Gbps DDoS attacks now commonplace (ZDNet)
- Obama seeks $19B for cybersecurity in 2017, a 36% increase (TechRepublic)
- Source code of Mirai botnet responsible for Krebs On Security DDoS released online (ZDNet)
- How to mitigate ransomware, DDoS attacks, and other cyber extortion threats (TechRepublic)