Solved

DDOS against DYN

Posted on 2016-10-23
9
117 Views
Last Modified: 2016-10-24
Does anyone know the type of traffic (protocol and ports) that the bots were programmed to use to attack dyn name servers?
Not sure if they published that yet.
0
Comment
Question by:trojan81
9 Comments
 
LVL 17

Expert Comment

by:Malmensa
ID: 41856408
Almost certainly DNS queries on port 53. A DDOS attack is when thousands of machines all make many requests at once, exceeding the capacity of the service in question to respond to genuine queries.
0
 

Author Comment

by:trojan81
ID: 41856435
Did they publish which name servers yet  or does someone know the CIDR ranges?
0
 
LVL 17

Accepted Solution

by:
Malmensa earned 251 total points
ID: 41856447
The attack was against DynDns. A heap of compromised devices were used.

 Not sure if there is anything documenting all servers the DynDns uses for DNS, that information would have to come from them. Also, it is possible that not all IPs they use were attacked. They will have this information, but my opt to keep it secret.

Some can be inferred by examining NS records for affected domains.

Below is a bit of a writeup.

http://hub.dyn.com/traffic-management/dyn-statement-on-10-21-2016-ddos-attack
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 83 total points
ID: 41856455
The bulk of the attack was mainly one of 3 things.

1. TCP SYN requests to port 53 (SYN flood). These cause half open connections because the attacking host never sends the server the ACK so it begins tying up server resources.
2. Lookups for non-existent random subdomains for which Dyn is authoritative for (pseudo random subdomain lookups). This will tie up server resources by causing uncached lookups to occur.
3. Random non-existent DNS record lookups which like the above cause uncached record lookups to try tie up server records and various other record lookups to further tie up resources.

You're basically doing your best to make the servers work as hard as possible and generate as much traffic as possible.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 77

Assisted Solution

by:arnold
arnold earned 83 total points
ID: 41856471
The attack could target the domains they wish to impact, lookup for NS records of those domains will identify the IPs to which requests should be sent.
The target could have been a specific one from the impacted domains, with the others as collateral damage.
Only dyn has what was being requested.

The difficulty might be if dyn has dual function DNS both authoritative and caching in one.

Separating authoritative from caching will limit impact to caching clients while leaving the authoritative sites functional.
0
 

Author Comment

by:trojan81
ID: 41856507
When of if DYN publishes what the attack looked like, many Network admins will be able to identify if there were compromised hosts from their own network. LearnCTX you offered some possible scenarios, but they are guesses for now.  It could have also been a DIG request in which the request is small but the reply is huge.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 83 total points
ID: 41856555
As stated in Hackernews; the attacker went with a bandwidth of flooding packets at 1 Tbps;  They create a army of IoT devices to send the traffic. So, millions of devices using their own bandwidth at the same time.  Tbps or greater you're dealing with literal backbone throughput limitations. Preparation is key. If you prepare poorly for an attack you will be poorly prepared to handle the attack.
0
 

Author Comment

by:trojan81
ID: 41856563
thanks for the comments
0
 
LVL 62

Expert Comment

by:btan
ID: 41856843
You can check out the article which has the analysis - mainly on "DNS Water Torture" and "GRE IP and Ethernet Floods". This is closely related to the Mirai botnet
Mirai’s attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks.

For network layer assaults, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now