DDOS against DYN

Does anyone know the type of traffic (protocol and ports) that the bots were programmed to use to attack dyn name servers?
Not sure if they published that yet.
trojan81Asked:
Who is Participating?
 
Mal OsborneAlpha GeekCommented:
The attack was against DynDns. A heap of compromised devices were used.

 Not sure if there is anything documenting all servers the DynDns uses for DNS, that information would have to come from them. Also, it is possible that not all IPs they use were attacked. They will have this information, but my opt to keep it secret.

Some can be inferred by examining NS records for affected domains.

Below is a bit of a writeup.

http://hub.dyn.com/traffic-management/dyn-statement-on-10-21-2016-ddos-attack
0
 
Mal OsborneAlpha GeekCommented:
Almost certainly DNS queries on port 53. A DDOS attack is when thousands of machines all make many requests at once, exceeding the capacity of the service in question to respond to genuine queries.
0
 
trojan81Author Commented:
Did they publish which name servers yet  or does someone know the CIDR ranges?
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
LearnctxEngineerCommented:
The bulk of the attack was mainly one of 3 things.

1. TCP SYN requests to port 53 (SYN flood). These cause half open connections because the attacking host never sends the server the ACK so it begins tying up server resources.
2. Lookups for non-existent random subdomains for which Dyn is authoritative for (pseudo random subdomain lookups). This will tie up server resources by causing uncached lookups to occur.
3. Random non-existent DNS record lookups which like the above cause uncached record lookups to try tie up server records and various other record lookups to further tie up resources.

You're basically doing your best to make the servers work as hard as possible and generate as much traffic as possible.
1
 
arnoldCommented:
The attack could target the domains they wish to impact, lookup for NS records of those domains will identify the IPs to which requests should be sent.
The target could have been a specific one from the impacted domains, with the others as collateral damage.
Only dyn has what was being requested.

The difficulty might be if dyn has dual function DNS both authoritative and caching in one.

Separating authoritative from caching will limit impact to caching clients while leaving the authoritative sites functional.
0
 
trojan81Author Commented:
When of if DYN publishes what the attack looked like, many Network admins will be able to identify if there were compromised hosts from their own network. LearnCTX you offered some possible scenarios, but they are guesses for now.  It could have also been a DIG request in which the request is small but the reply is huge.
0
 
madunixCommented:
As stated in Hackernews; the attacker went with a bandwidth of flooding packets at 1 Tbps;  They create a army of IoT devices to send the traffic. So, millions of devices using their own bandwidth at the same time.  Tbps or greater you're dealing with literal backbone throughput limitations. Preparation is key. If you prepare poorly for an attack you will be poorly prepared to handle the attack.
0
 
trojan81Author Commented:
thanks for the comments
0
 
btanExec ConsultantCommented:
You can check out the article which has the analysis - mainly on "DNS Water Torture" and "GRE IP and Ethernet Floods". This is closely related to the Mirai botnet
Mirai’s attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks.

For network layer assaults, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.