Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

DDOS against DYN

Posted on 2016-10-23
9
Medium Priority
?
203 Views
Last Modified: 2016-10-24
Does anyone know the type of traffic (protocol and ports) that the bots were programmed to use to attack dyn name servers?
Not sure if they published that yet.
0
Comment
Question by:trojan81
9 Comments
 
LVL 19

Expert Comment

by:Mal Osborne
ID: 41856408
Almost certainly DNS queries on port 53. A DDOS attack is when thousands of machines all make many requests at once, exceeding the capacity of the service in question to respond to genuine queries.
0
 

Author Comment

by:trojan81
ID: 41856435
Did they publish which name servers yet  or does someone know the CIDR ranges?
0
 
LVL 19

Accepted Solution

by:
Mal Osborne earned 1004 total points
ID: 41856447
The attack was against DynDns. A heap of compromised devices were used.

 Not sure if there is anything documenting all servers the DynDns uses for DNS, that information would have to come from them. Also, it is possible that not all IPs they use were attacked. They will have this information, but my opt to keep it secret.

Some can be inferred by examining NS records for affected domains.

Below is a bit of a writeup.

http://hub.dyn.com/traffic-management/dyn-statement-on-10-21-2016-ddos-attack
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 18

Assisted Solution

by:Learnctx
Learnctx earned 332 total points
ID: 41856455
The bulk of the attack was mainly one of 3 things.

1. TCP SYN requests to port 53 (SYN flood). These cause half open connections because the attacking host never sends the server the ACK so it begins tying up server resources.
2. Lookups for non-existent random subdomains for which Dyn is authoritative for (pseudo random subdomain lookups). This will tie up server resources by causing uncached lookups to occur.
3. Random non-existent DNS record lookups which like the above cause uncached record lookups to try tie up server records and various other record lookups to further tie up resources.

You're basically doing your best to make the servers work as hard as possible and generate as much traffic as possible.
1
 
LVL 80

Assisted Solution

by:arnold
arnold earned 332 total points
ID: 41856471
The attack could target the domains they wish to impact, lookup for NS records of those domains will identify the IPs to which requests should be sent.
The target could have been a specific one from the impacted domains, with the others as collateral damage.
Only dyn has what was being requested.

The difficulty might be if dyn has dual function DNS both authoritative and caching in one.

Separating authoritative from caching will limit impact to caching clients while leaving the authoritative sites functional.
0
 

Author Comment

by:trojan81
ID: 41856507
When of if DYN publishes what the attack looked like, many Network admins will be able to identify if there were compromised hosts from their own network. LearnCTX you offered some possible scenarios, but they are guesses for now.  It could have also been a DIG request in which the request is small but the reply is huge.
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 332 total points
ID: 41856555
As stated in Hackernews; the attacker went with a bandwidth of flooding packets at 1 Tbps;  They create a army of IoT devices to send the traffic. So, millions of devices using their own bandwidth at the same time.  Tbps or greater you're dealing with literal backbone throughput limitations. Preparation is key. If you prepare poorly for an attack you will be poorly prepared to handle the attack.
0
 

Author Comment

by:trojan81
ID: 41856563
thanks for the comments
0
 
LVL 65

Expert Comment

by:btan
ID: 41856843
You can check out the article which has the analysis - mainly on "DNS Water Torture" and "GRE IP and Ethernet Floods". This is closely related to the Mirai botnet
Mirai’s attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks.

For network layer assaults, Mirai is capable of launching GRE IP and GRE ETH floods, as well as SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods and UDP flood attacks.

https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question