Solved

DDOS against DYN

Posted on 2016-10-23
9
157 Views
Last Modified: 2016-10-24
Does anyone know the type of traffic (protocol and ports) that the bots were programmed to use to attack dyn name servers?
Not sure if they published that yet.
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 18

Expert Comment

by:Mal Osborne
ID: 41856408
Almost certainly DNS queries on port 53. A DDOS attack is when thousands of machines all make many requests at once, exceeding the capacity of the service in question to respond to genuine queries.
0
 

Author Comment

by:trojan81
ID: 41856435
Did they publish which name servers yet  or does someone know the CIDR ranges?
0
 
LVL 18

Accepted Solution

by:
Mal Osborne earned 251 total points
ID: 41856447
The attack was against DynDns. A heap of compromised devices were used.

 Not sure if there is anything documenting all servers the DynDns uses for DNS, that information would have to come from them. Also, it is possible that not all IPs they use were attacked. They will have this information, but my opt to keep it secret.

Some can be inferred by examining NS records for affected domains.

Below is a bit of a writeup.

http://hub.dyn.com/traffic-management/dyn-statement-on-10-21-2016-ddos-attack
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 83 total points
ID: 41856455
The bulk of the attack was mainly one of 3 things.

1. TCP SYN requests to port 53 (SYN flood). These cause half open connections because the attacking host never sends the server the ACK so it begins tying up server resources.
2. Lookups for non-existent random subdomains for which Dyn is authoritative for (pseudo random subdomain lookups). This will tie up server resources by causing uncached lookups to occur.
3. Random non-existent DNS record lookups which like the above cause uncached record lookups to try tie up server records and various other record lookups to further tie up resources.

You're basically doing your best to make the servers work as hard as possible and generate as much traffic as possible.
1
 
LVL 78

Assisted Solution

by:arnold
arnold earned 83 total points
ID: 41856471
The attack could target the domains they wish to impact, lookup for NS records of those domains will identify the IPs to which requests should be sent.
The target could have been a specific one from the impacted domains, with the others as collateral damage.
Only dyn has what was being requested.

The difficulty might be if dyn has dual function DNS both authoritative and caching in one.

Separating authoritative from caching will limit impact to caching clients while leaving the authoritative sites functional.
0
 

Author Comment

by:trojan81
ID: 41856507
When of if DYN publishes what the attack looked like, many Network admins will be able to identify if there were compromised hosts from their own network. LearnCTX you offered some possible scenarios, but they are guesses for now.  It could have also been a DIG request in which the request is small but the reply is huge.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 83 total points
ID: 41856555
As stated in Hackernews; the attacker went with a bandwidth of flooding packets at 1 Tbps;  They create a army of IoT devices to send the traffic. So, millions of devices using their own bandwidth at the same time.  Tbps or greater you're dealing with literal backbone throughput limitations. Preparation is key. If you prepare poorly for an attack you will be poorly prepared to handle the attack.
0
 

Author Comment

by:trojan81
ID: 41856563
thanks for the comments
0
 
LVL 63

Expert Comment

by:btan
ID: 41856843
You can check out the article which has the analysis - mainly on "DNS Water Torture" and "GRE IP and Ethernet Floods". This is closely related to the Mirai botnet
Mirai’s attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks.

For network layer assaults, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OnPage: Incident management and secure messaging on your smartphone
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question