[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 215
  • Last Modified:

DDOS against DYN

Does anyone know the type of traffic (protocol and ports) that the bots were programmed to use to attack dyn name servers?
Not sure if they published that yet.
0
trojan81
Asked:
trojan81
4 Solutions
 
Mal OsborneAlpha GeekCommented:
Almost certainly DNS queries on port 53. A DDOS attack is when thousands of machines all make many requests at once, exceeding the capacity of the service in question to respond to genuine queries.
0
 
trojan81Author Commented:
Did they publish which name servers yet  or does someone know the CIDR ranges?
0
 
Mal OsborneAlpha GeekCommented:
The attack was against DynDns. A heap of compromised devices were used.

 Not sure if there is anything documenting all servers the DynDns uses for DNS, that information would have to come from them. Also, it is possible that not all IPs they use were attacked. They will have this information, but my opt to keep it secret.

Some can be inferred by examining NS records for affected domains.

Below is a bit of a writeup.

http://hub.dyn.com/traffic-management/dyn-statement-on-10-21-2016-ddos-attack
0
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
LearnctxEngineerCommented:
The bulk of the attack was mainly one of 3 things.

1. TCP SYN requests to port 53 (SYN flood). These cause half open connections because the attacking host never sends the server the ACK so it begins tying up server resources.
2. Lookups for non-existent random subdomains for which Dyn is authoritative for (pseudo random subdomain lookups). This will tie up server resources by causing uncached lookups to occur.
3. Random non-existent DNS record lookups which like the above cause uncached record lookups to try tie up server records and various other record lookups to further tie up resources.

You're basically doing your best to make the servers work as hard as possible and generate as much traffic as possible.
1
 
arnoldCommented:
The attack could target the domains they wish to impact, lookup for NS records of those domains will identify the IPs to which requests should be sent.
The target could have been a specific one from the impacted domains, with the others as collateral damage.
Only dyn has what was being requested.

The difficulty might be if dyn has dual function DNS both authoritative and caching in one.

Separating authoritative from caching will limit impact to caching clients while leaving the authoritative sites functional.
0
 
trojan81Author Commented:
When of if DYN publishes what the attack looked like, many Network admins will be able to identify if there were compromised hosts from their own network. LearnCTX you offered some possible scenarios, but they are guesses for now.  It could have also been a DIG request in which the request is small but the reply is huge.
0
 
madunixChief Information Security Officer Commented:
As stated in Hackernews; the attacker went with a bandwidth of flooding packets at 1 Tbps;  They create a army of IoT devices to send the traffic. So, millions of devices using their own bandwidth at the same time.  Tbps or greater you're dealing with literal backbone throughput limitations. Preparation is key. If you prepare poorly for an attack you will be poorly prepared to handle the attack.
0
 
trojan81Author Commented:
thanks for the comments
0
 
btanExec ConsultantCommented:
You can check out the article which has the analysis - mainly on "DNS Water Torture" and "GRE IP and Ethernet Floods". This is closely related to the Mirai botnet
Mirai’s attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks.

For network layer assaults, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now