Dyn Executive Responds To Friday's DDOS Attack

"It is said that eternal vigilance is the price of liberty...We must continue to work together to make the internet a more resilient place to work, play and communicate," wrote Dyn's Chief Strategy Officer in a Saturday blog post. An anonymous reader reports: Dyn CSO Kyle York says they're still investigating Friday's attack, "conducting a thorough root cause and forensic analysis" while "carefully monitoring" for any additional attacks. In a section titled "What We Know," he describes "a sophisticated attack across multiple attack vectors and internet locations...one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack." But he warns that "we are unlikely to share all details of the attack and our mitigation efforts to preserve future defenses."

He posted a timeline of the attacks (7:00 EST and 12:00 EST), adding "While there was a third attack attempted, we were able to successfully mitigate it without customer impact... We practice and prepare for scenarios like this on a regular basis, and we run constantly evolving playbooks and work with mitigation partners to address scenarios like these." He predicts Friday's attack will be seen as "historic," and acknowledges his staff's efforts to fight the attack as well as the support received from "the technology community, from the operations teams of the world's top internet companies, to law enforcement and the standards community, to our competition and vendors... On behalf of Dyn, I'd like to extend our sincere thanks and appreciation to the entire internet infrastructure community for their ongoing show of support."
Online businesses may have lost up to $110 million in sales and revenue, according to the CEO of Dynatrace, who tells CNN more than half of the 150 websites they monitor were affected.

We Were Attacked!

[Anonymous Coward]

And they made us look the foo!

Re:

[smallfries]

1. System is designed with a decentralised resource to prevent single point of failure / target for attack.
2. Company wants to monopolise resource.
3. Spreads fear of attacks for reason to buy hardened service.
4. Gets rekt by a bunch of kids who have hacked cctvs.
5. Tries to use it spread more fear / downpkay own incompetence.
6. ...
7. People realise that running their own DNS is more resilient?

Re:We Were Attacked!

[sithlord2]

>> 7. People realise that running their own DNS is more resilient?

LOL! You think so? Let's say your own DNS infrastructure is a victim of this attack with the same magnitude. Are you able to handle this?

There is a easy solution: Don't make your DNS a single point of failure. Make sure your DNS records are mirrored on two different DNS providers, and make sure you list all IP addresses of both providers' DNS servers in your registrar's settings.

That's what we did. We have our DNS records on Dyn and another provider. We barely were impacted.

Re:

[Junta]

The problem is this philosophy tends to create targets of great value by putting so much infrastructure into so few places.

It's been a curious development in the internet. In the 90s, there was a trend from walled gardens and centralized resources to more federated approaches. In the last decade, the trend has reversed.

We have increasingly powerful endpoint devices, even as their form factors have shrunk. This *should* have led to the reduction of the importance of 'datacenters', but now they are more imp

Re:

[Khyber]

"LOL! You think so? Let's say your own DNS infrastructure is a victim of this attack with the same magnitude. Are you able to handle this?"

Yep, all fucking day without even looking, and IPv6 will make it even easier. It's called a static IP address and not having more fucking domain names than you can handle.

While everyone else was fucked, my sites ran without a problem, and they all use DynDNS.

Re:

[Khyber]

Son, I was playing with hardware load balancers on remote systems before you likely came to troll this site.

Re:

[smallfries]

Sure do.

It spreads out the attack value over multiple targets. It is not about whether a set of smaller replacements for Dyn could withstand 1tb/s, it is about whether an attacker could muster n tb/s to attack a whole set of smaller providers at once in order to create the same amount of widespread damage. Do you think it makes sense to put all the eggs in one basket?

Re: We Were Attacked!

[chipperdog]

When you run TTLs less than 150 (like many of Dyn's customers), your DNS is no longer decentralized and fault tolerant....if you don't change your records often, use a longer TTL. Much of the effect of this attach could have been mitigated by using a 1800 or longer TTL...as long as a few isp and other common caches can get one response for each record every half hour things keep working

Re:

[MoarSauce123]

I'm more concerned about people writing comments like yours. What the heck do they play the national anthem before every friggin sports game? No other country does that as far as I know unless it is international competition. This hard core nationalism is what is causing many problems. As far as people shooting others, get rid of guns as much as possible and the number of shootings and deaths as well as crime in general will go down drastically. I have no idea what Jesus could do here, if he'd did what the

Re:

[ncc74656]

As far as people shooting others, get rid of guns as much as possible and the number of shootings and deaths as well as crime in general will go down drastically.

Like it did in Australia? Oh, wait.

GFY, you gun-grabbing fascist.

Lost business?

[Z00L00K]

Is that really lost business or was it just a delay in the interaction for the customers?

If shop's not available one day I'll wait a day or two to place my order. It's only if stuff is offline for a long period that it's really lost business because then I probably have gone elsewhere.

Re:

[bookworm13]

You are forgetting advertising. You may not like it, but its still a major source of revenue for some businesses.

Re:

[Anonymous Coward]

Advertising is not a loss of business if you accumulate income across all companies. Advertising only moves funds between companies. The only loss is the one of customers who would buy on the given day but not later. If that is the case then they probably did not really need the thing anyway. Therefore it is good they did not waste money on "crap" and saved environment.

Though it may be a loss of business in a sense that a part of income is moved from companies affected by the attack to the companies which

Re:

[Z00L00K]

What advertising? I'm running an adblocker - and so do most people with sense these days.

Re:

[Aqualung812]

What advertising? I'm running an adblocker - and so do most people with sense these days.

I don't, on purpose. I think still I have some sense.

-I like to pay for the services I use. Many companies will provide me service by showing me ads. That is fair to me.
-I don't want ads for NFL games and tampons. I have no use for either of those. However, if a new 2m radio is on sale, I actually want to know that.
-I mind giving small a small amount of information to advertisers (through cookies and fingerprinting) a LOT less than I mind giving any Ad blocking app FULL web browsing history.

How are you payi

Re:

[grep -v '.*' *]

Is that really lost business or ... If shop's not available one day I'll wait ...

You're ignoring the "instant gratification" bit. Wait a day -- a DAY? You must be joking, I don't want to wait 2 seconds while the page loads. The only reason i can even stand to wait for it to be delivered is because I can track it in motion. [xkcd.com]

Re:

[thegarbz]

Is that really lost business or was it just a delay in the interaction for the customers?

If an item is perishable then it's actually lost business even if you intended to buy it the day after.

If shop's not available one day I'll wait a day or two to place my order.

Market research shows that a significant source of income is the result of impulse buys as the result of either short term discounts or advertising. Giving people time to think about it by preventing checkout causes them to (correctly) second guess their decision, whereas if there's no barrier to purchase you simply end up with post shopping cognitive dissonance (why the **** did I just buy that!)

This is l

Re:

[Anonymous Coward]

But it is better for the planet... And individual. And thereby, society.
If it is a loss for someone, perhaps they are then better employed in something more productive.

Like picking up trash.

Re:

[Stewie241]

It depends... sometimes customers would probably come back and order later. Sometimes they might order somewhere else that is available. Or sometimes they might use the extra time to ponder whether they really need the item and ultimately might decide not to buy it.

Re:

[hibiki_r]

Of course it is: We see this pretty easily in the physical space when there's really bad weather, like a blizzard that makes travel difficult for 3 days. Businesses see a bit of a pickup afterwards, as some purchases just get delayed, but there's A LOT of economic activity that disappears.

Imagine, for instance, that whoever processes credit cards for the Hillary campaign happened to have a catastrophic 4 hour outage around the last debate. Do you really think that the people that would have donated during t

Re:

[AHuxley]

"Attacks on the Internet keep getting bigger and nastier" (22 Oct 2016)
http://www.latimes.com/busines... [latimes.com]
"1.2 trillion bits of data every second" or
"How Hackers Make Money from DDoS Attacks"
http://fortune.com/2016/10/22/... [fortune.com]
"1.2 terabits of data per second"

Re:

[guruevi]

Dyn seems very quiet about a lot. They and their customers got their ass handed to them. This was pure incompetence on the hands of Dyn and many sites and services.

DNS TTL 3600s or even 86400 (the gold standard back in the day) - because the cloud prides itself on individual machine uptime of 80% or less
Single DNS provider - because the cloud prides itself on a single vendor being world-scale just by spreading out

Twitter and co (still) has a TTL of 130s, way lower than RFC 6781 suggests and still has all th

slashdot IoT sales banner

[vocatan]

Does anybody find it ironic to see the slashdot sales as for IoT cameras immediately above this sorry? Until we can somehow force vendors to responsibly patch, these devices have NO BUSINESS being on the web and we should boycott them. (Looking at you, AVTECH)

Re:

[Hognoxious]

Just make sure it's totally unspoofable like a Mac address.

Re:

[guruevi]

Every device already has that. Luckily for us this ID isn't routable. Your proposal still wouldn't work, we know the IP's these attacks are coming from after all, the problem is getting providers like Verizon or ChinaNet to cooperate.

Re: slashdot IoT sales banner

[buchanmilne]

I didn't read the details of the attack, but if it was using UDP DNS requests the source IPs could have been spoofed (if they originate from networks that don't have uRPF enabled).

In that case, their transit providers would only be able to identify them by traffic patterns on their circuits, or by more in-depth analysis if the provider can afford to run IPFIX/Netflow analysis on all their traffic.

Searchable database of attackers?

[dattaway]

Would be nice to check my addresses in case my network was an offender so I can fix something I may have missed.

Re:

[gregraven]

I would welcome the ability to see if any of our devices is involved. We got the Cujo appliance for this a couple months back, and it hasn't alerted us to anything, but our DVR was running like mad (you could hear the hard drive from across the room) roughly during the time of the attack.

Re:

[toonces33]

Look at your router config, and look for UPNP and/or port forwards and see whether any firewall ports have been opened up for these devices.

I would actually advocate disabling UPNP on the router, but I have no doubt that doing so would break some sort of lame device or application, and people would howl about how they just can't possibly do that.

Re:

[bromoseltzer]

Would be nice to check my addresses in case my network was an offender so I can fix something I may have missed.

Your router needs a better firewall to prohibit or at least rate limit outgoing traffic to unusual places. Monitor firewall hits. It's "easy", but typical routers don't offer much help.

Re:

[toonces33]

And who then is responsible?

The manufacturer? They are undoubtedly under pressure to keep the costs as low as possible, and keep the configuration as simple as possible. Make the config too hard, and people return the items to the store.

The retailer? What's their responsibility here? Some like eBay/Amazon are just flea markets selling any crap that the associated merchant wants to sell. There is no "Underwriters Lab" to test some of the basic configuration stuff.

The consumer? They don't care - it doesn

how many bitcoins

[golgotha007]

did the attackers ask for to stop the attack?

Here's an actual letter sent to my company when we we're attacked earlier this year. By the way, they didn't breach us in any way, shape or form. They just hit us with traffic. The letter makes it sound like they had more, but nope, they didn't have shit.

Hello Support,

We are a team of highly skilled independent security consultants. One of your competitors hired us to take your site offline for an entire month (which we have the resources to do but don't like t

DNS blockchain

[golgotha007]

The issue with DNS is that it's a centralizing service. As the world moves more towards a decentralized, distributed Internet, the first piece that moves in that direction should be DNS services.

It could be done right now using a similar blockchain to the one bitcoin uses. In fact, you could also tie in SSL into the platform, to prevent centralizing services like Verasign from being a weak point. The design is already in my head - just need to build it. Anyone have some free time?

Need to work with IoT developers and/or shame them

[TheDarkener]

The fact that so many publicly facing, completely insecure devices ripe for hacking were able to be assembled in the first place is one of the biggest things we should be looking at moving forward.

I think there should be a common, open-source framework for building secure IoT device firmware. Obviously people are going to be buying these things more and more as time progresses. Why not make it simple for them to implement something secure instead of leaving them to reinvent the wheel? Obviously they're conc

Re:

[AHuxley]

One way to do that is at the app level. Get the two big US brands to stop the smartphone integration of device apps that have a free flow onto the internet.
The app gets delisted until the device is fixed or upgrades.
It can be fixed by the IoT builders as they want cheap or use long supply chains.
The consumer want easy, powered on, integrated, working devices. No entering long unique passwords deep in the packaging.
Get AV firms to scan local networks and tell users their entire network and all the

OH Dyn

[eWarz]

I remember when they were dyndns.org. I remember when they provided great dynamic DNS services for free or super cheap. Over time they became more and more commercialized, then more and more enterprised focused. They lost my business a long time ago. Nowadays you can have low TTLs with most service providers, and even if you can't, many ISPs have semi-static IPs for their residential and commercial accounts. There are also more rapid ttl based dyndns offerings including Google Domains. From a company