User topics

Article topics

Log in Sign up

DNS devastation: Top websites whacked offline as Dyn dies again

An extraordinary, focused attack on DNS provider Dyn continues to disrupt internet services for hundreds of companies, including online giants Twitter, Amazon, AirBnB, Spotify and others. The worldwide assault started at approximately 11am UTC on Friday. It was a massive denial-of-service blast that knocked Dyn's DNS anycast …

COMMENTS

Post your comment

House rules Send corrections

Add to 'My topics'

Page:

Friday 21st October 2016 19:13 GMT Barry Rueger

Inevitable

Arguably this sort of "bring the Internet to its knees" attack was pretty much inevitable.

And arguably that has been the case for most of a decade.

Right now a lot of companies must be quaking in their boots wondering what's next.

13 0 Reply
1. Sunday 23rd October 2016 04:37 GMT raving angry loony
  
  Re: Inevitable
  
  Or salivating at the profits to be had from marketing "protection" to those who feel vulnerable. The whole thing smells of a protection racket in the making.
  
  5 0 Reply
2. Sunday 23rd October 2016 21:43 GMT John Smith 19
  
  "Right now a lot of companies must be quaking in their boots wondering what's next."
  
  Certainly those who understood what just happened.
  
  While the suppliers of the IoS products that enabled it should be ashamed.
  
  1 0 Reply
3. Sunday 23rd October 2016 22:49 GMT jobst
  
  Re: Inevitable - but not because of DNS
  
  It seems a lot of people are talking about DNS in the moment ... but we must not forget who really is to blame - it's the stupid security programmed into may IoT's because of greed. The cause for this problem are not the inherent problems of the DNS system(s) but the stupidity of device manufactures like Dlink, Netgear, Avtech and so on.
  
  0 0 Reply
4. Monday 24th October 2016 11:06 GMT Anonymous Coward
  
  Re: Inevitable
  
  Not as inevitable as someone shouting "Blockchain - that's the answer!"
  
  0 0 Reply
Friday 21st October 2016 19:17 GMT Anonymous Coward

not the only one

noip appeared to be offline at times on wednesday.

0 1 Reply
Friday 21st October 2016 19:27 GMT Anonymous Coward

I guess commercial considerations have replaced the "internet routes round damage" idea.

17 6 Reply
1. Saturday 22nd October 2016 00:33 GMT Yes Me
  
  "routes round damage" idea.
  
  Routing works just fine during a DNS outage; the problem is that you can't find the addresses that you want to route to. DDoS against DNS authoritative servers has always been scary. If only every ISP supported ingress filtering, as they're supposed to, tracking down and killing DDoS bots would be that much easier.
  
  18 3 Reply
2. Saturday 22nd October 2016 04:30 GMT ecofeco
  
  Actually it did. Many sites were affected but not all. I could easily reach most websites I use during the day.
  
  It worked exactly like it should.
  
  3 1 Reply
3. Saturday 22nd October 2016 05:33 GMT Frank Oz
  
  Well, yeah ...
  
  Bottom line is that its the current DNS process, which is in place to ensure that the domain name issuers get their little piece of the pie, which make attacks like this possible. In the good old days the ENTIRE DNS data files/database was mirrored on a number of servers around the planet ... so a DOOS would have to hit them all to cause things to fall over this badly.
  
  These days, all the hacker has to do is find out which commercial Domain Name provider provided which mega huge internet presence with its domain names ... and just hit that server. If anything this attack should result in a number of DYN clients going elsewhere (presumably to a less visible DNS provider)
  
  What should happen is that ICANN points out that the current DNS verification and validation processes (which are only in place to protect the IP of the DNS provider) actually make it easier for the Ungodly ... and that perhaps total replication of the database across mulitple provider sand locations might be a good idea to revert to.
  
  But that's unlikely - because nowadays ICANN represents the DNS providers.
  
  15 1 Reply
  1. Saturday 22nd October 2016 13:58 GMT John Brown (no body)
    
    "In the good old days the ENTIRE DNS data files/database was mirrored on a number of servers around the planet ... so a DOOS would have to hit them all to cause things to fall over this badly."
    
    I was wondering the same thing. Where are the master root servers these days? I take it they either no longer exists or people like Dyn don't bother with them.
    
    5 1 Reply
    1. Saturday 22nd October 2016 14:57 GMT Danny 14
      
      Most companies run their own dns caching as part of their proxies (i imagine, we do to cut down on requests) so this will hit general public more. In fact i only noticed the issues when i switched from wifi to data on my phone.
      
      1 0 Reply
4. Saturday 22nd October 2016 11:04 GMT Steven Jones
  
  It's not a routing issue...
  
  The Internet does route around damage, but this isn't an attack on routing. It's an attack on a network service. That's rather a different thing.
  
  However, it's certainly true that far too little effort has been put into fundamentally hardening network services of all sorts against these sorts of attacks. Unfortunately far too many Internet protocols and services are built around assumptions of good behaviour.
  
  3 1 Reply
  1. Saturday 22nd October 2016 12:40 GMT Anonymous Coward
    
    Re: It's not a routing issue...
    
    "Routing" has many more meanings than "IP routing". The Internet was designed as a distributed systems - kill a node, it would still keep on working. Now we're turning it into a big centralized system where a few big data centers, the grandsons of mainframes, hold everything. And when they become the easy target of huge distributes attacks like this, they are kaputt... the old saying "when you put all your eggs in one basket...".
    
    If all those DNS records were widely distributed, good luck to take down all of them.
    
    12 0 Reply
Friday 21st October 2016 19:42 GMT Dave Pickles

DNS wouldn't be so vulnerable if folks set really long TTLs on their entries and didn't use DNS for load-balancing - caches around the internet could then ride out any feasible attack.

21 0 Reply
1. Friday 21st October 2016 19:51 GMT ParasiteParty
  
  I wish this was true...
  
  Many ISP's - to name BT for one but probably most, simply do not respect published TTL's.
  
  We've seen issues where we set low TTL's during a site migration but the ISP's simply don't go back for another lookup. You end up having to fanny about with DNS providers until enough time has passed for the providers DNS to re-do the lookup in its own time.
  
  11 0 Reply
2. Friday 21st October 2016 20:37 GMT efinlay
  
  Except...
  
  ...with really long TTLs, how do you manage regional or global load balancing? Failovers? Switching records in general? Migrations?
  
  (admittedly, that last one is generally less frequent)
  
  Honest question - not snarky, I'm curious.
  
  3 0 Reply
  1. Friday 21st October 2016 21:02 GMT Anonymous Coward
    
    Re: Except...
    
    Good question, that commentard: "with really long TTLs, how do you manage regional or global load balancing".
    
    https://en.wikipedia.org/wiki/Anycast - Anycast addresses. This is what Google's 8.8.8.8 and 8.8.4.4 and OpenDNS 208.67.222.222 and 208.67.220.220 use.
    
    Cheers
    
    Jon
    
    _{I suspect I've answered your question as posted but probably not what you intended or the full story.}
    
    4 0 Reply
    1. Friday 21st October 2016 21:10 GMT Nate Amsden
      
      Re: Except...
      
      Anycast only covers a subset of load balancing needs(small subset at that)
      
      1 0 Reply
    2. Friday 21st October 2016 23:19 GMT patrickstar
      
      Re: Except...
      
      Anycast is not suitable for TCP since TCP is dependent on all packets of a connection going to the same place. It might very well work for specific applications and short-lived connections but it's definitely not something you want to deploy on a website that's supposed to be reachable by 100% of all users.
      
      You can even encounter scenarios where, for some subset of users, it works very poorly if at all - equal cost multipath for example, where every other packet ends up at a different anycast instance.
      
      3 0 Reply
    3. Sunday 23rd October 2016 10:13 GMT TeeCee
      
      Re: Except...
      
      Except that it isn't a good question as the original comment did specify that a prerequisite would be that people didn't use DNS for load-balancing.
      
      People are using something for something for which it wasn't designed to do and have found out that it's not really suitable for it? Who Could Possibly Have Seen That Coming?
      
      2 0 Reply
  2. Friday 21st October 2016 21:22 GMT Alister
    
    Re: Except...
    
    ...with really long TTLs, how do you manage regional or global load balancing? Failovers? Switching records in general? Migrations?
    
    You can do it by not using DNS to switch between sites. Instead you have one or more load balancers with fixed IPs which you point the DNS at, and then redirect the traffic to the sites and servers as you want.
    
    We do DR failover this way, as well as load balancing and migrations between hosting environments.
    
    There is a slightly increased latency, obviously, but not enough to impact normal traffic.
    
    5 0 Reply
3. Friday 21st October 2016 21:55 GMT streaky
  
  TTL is nothing really to do with it. Sites would go offline under sustained attack sooner or later.
  
  The main issue here is that these large companies are doing DNS wrong on a more fundamental level. We learned years ago that people were attacking DNS providers and this could be leveraged to take out fundamental infrastructure and sites of all sorts of sizes. The fix is obvious and it's something I've recently pointed out to github:
  
  If you're an attack target do not just use a single DNS provider. Use 2.
  
  If you do that it's much easier to not be caught in the crossfire. It's also much more difficult for adversaries to take you out via DNS - they have to take out two entirely separate networks to achieve that requiring double the attack assets.
  
  The internet was designed very insecurely but they did build it in a way that made it easy to mitigate attacks like the one today and everybody running DNS services at the companies that were taken out look like complete clowns in retrospect. It's like the people who expect AWS zones to be up 100% of the time despite them not being designed to be survivable and Amazon giving people the tools to not do that.
  
  Also fwiw using anycast to balance large sites is a really bad idea. If anycast was a solution to the problem we wouldn't be sitting here talking about anycasted dns providers being taken out.
  
  15 1 Reply
  1. Saturday 22nd October 2016 05:23 GMT bazza
    
    @Streaky,
    
    "The internet was designed very insecurely"
    
    Security wasn't a consideration at all in those days.
    
    Fundamentally everything we have security-wise is a bodge. Ultimately no matter what security mechanism one contrives, it always boils down to the following. Machines are hopeless at identifying people.
    
    4 1 Reply
    1. Saturday 22nd October 2016 06:29 GMT streaky
      
      The security thing wasn't really a complaint, just a fact of life. We can we rebuild, we have the technology - though I wasn't really arguing for that. I wouldn't mind burning UDP to the ground though but it's an entirely separate subject.
      
      TCP is dependent on all packets of a connection going to the same place
      
      TCP anycast is a thing (indeed it's how a lot of HTTP DDoS protection works). Doesn't mean it's a sensible use of resources when your DNS provider can do useful things for you; it's all cost/benefit - DNS providers are cheap, anycasted HTTP isn't. As I said it's not really a solution to the problem, not relying on your singular provider's servers in the case they get hit or plain just go down is.
      
      1 0 Reply
      1. Saturday 22nd October 2016 10:45 GMT patrickstar
        
        Yes, it can be done, but it's not a general solution the way DNS anycast is.
        
        When anycasting DNS, you can just plop down anycast instances in whatever locations will host you, with no special routing policies in place, no prepending/community games, and having it exported as widely as possible.
        
        1 0 Reply
    2. Saturday 22nd October 2016 09:47 GMT Anonymous Coward
      
      ...and how much it costs to implement offset against profit and how much the PHB will earn for his/her yearly bonus.
      
      1 0 Reply
  2. Sunday 23rd October 2016 03:45 GMT Anonymous Coward
    
    > If you're an attack target do not just use a single DNS provider. Use 2.
    
    If *you* are an attack target, it is *your* infrastructure that is going to be targeted, not the DNS providers (they may throw that into the deal as well, but expect your own infrastructure to become suddenly popular with IP cameras and stuff).
    
    1 0 Reply
    1. Sunday 23rd October 2016 03:57 GMT streaky
      
      it is *your* infrastructure that is going to be targeted, not the DNS providers
      
      Yeah but TCP attacks the average toddler can deal with, they're blatant and they're easy to identify the source of and can be mitigated quite quickly. UDP attacks against DNS infrastructure are very difficult to deal with which is why they're popular for taking out large targets - and regardless of that "you" as the target can mean that you're one of many large US sites and the attacker would be happy to take you out as collateral.
      
      1 0 Reply
    2. Sunday 23rd October 2016 10:26 GMT Doctor Syntax
      
      "If *you* are an attack target, it is *your* infrastructure that is going to be targeted,"
      
      For some values of "you". If "you" means the US internet business community then DNS is part of that infrastructure and, from what's happened, appears to be a single point of failure for quite a large portion of "you".
      
      2 0 Reply
  3. Monday 24th October 2016 08:05 GMT leenex
    
    It's mainly an attack on port 53, right?
    
    What if DNS servers were able to agree on a different, free port as part of the protocol? There would be no telling which port would be used, and an attacker would have to scan 65535 port to find it, right?
    
    Any client scanning all ports would be easy to identify.
    
    (This was a brain fart from someone who can hardly configure a Cisco router.)
    
    0 1 Reply
    1. Monday 24th October 2016 11:48 GMT streaky
      
      It's not a question of scanning or whatever, the attack was against a "shared" DNS provider where all these sites were using common infrastructure. It's not as if you can "hide" your DNS server because resolvers have to be able to find them, so they have to be pointed at from the parent zone servers.
      
      0 0 Reply
Friday 21st October 2016 19:47 GMT Pen-y-gors

Sort out priorities...

I suspect so long as El Reg and a few other specialist interest sites are unaffected then this readership won't be too worried.

3 1 Reply
Friday 21st October 2016 19:55 GMT Anonymous Coward

The outage is actually doing a fab job at functioning as an ad-blocker.

37 0 Reply
1. Friday 21st October 2016 20:56 GMT ecofeco
  
  I noticed that as well.
  
  2 0 Reply
Friday 21st October 2016 19:57 GMT John Savard

Helpful Article

Hopefully, all DNS sites will start caching; I wish my computer would cache the IP address of sites I visit so that I wouldn't even notice a DNS failure - it could even warn me if an IP address changes, to help prevent IP spoofing.

Anyways, I switched my DNS to that given in your article, and I could connect to the RuneScape servers once more! Quite saved my morning. Also I was reading old issues of U&lc, and that too was restored.

1 3 Reply
1. Friday 21st October 2016 20:07 GMT hmv
  
  Re: Helpful Article
  
  DNS already does caching, but those who run amazon.com and github.com have chosen to minimise the caching time to make it easier to switch things around and disregarding the usefulness of caching.
  
  9 1 Reply
  1. Friday 21st October 2016 20:55 GMT 404
    
    Re: Helpful Article
    
    Ayup... mid to late 90's with NT DNS(!) servers, then later with Solaris x86 Bind DNS servers, when setting up new websites, you always had to stop Internet Exploder, close Netscape, restart your DNS client, just to check to see if the scripts took...
    
    I'm sorry, I don't know where I was going with this -> wife pops in with 'Oh look, a portable ski lodge!'... thought evaporated.
    
    3 3 Reply
  2. Friday 21st October 2016 21:21 GMT Anonymous Coward
    
    Re: Helpful Article
    
    "DNS already does caching"
    
    Not really - each record has a Time To Live (TTL) in seconds. Your DNS server should honour that but it can go a bit mad when people ignore the standards to fix things.
    
    For example I've just looked up github.com via 2001:4860:4860::8888 (Google public DNS - IPv6) four times in quick succession and got the following TTLs: 117, 160, 144 and 18. I then looked up the NS records (AWS, four NS records) and looked them up there - now the A records round-robin between two IP addresses and with a TTL of 300.
    
    The world can be a nasty place
    
    3 3 Reply
    1. Friday 21st October 2016 23:27 GMT patrickstar
      
      Re: Helpful Article
      
      Completely normal, expected, and perfectly TTL-obeying behavior.
      
      DNS resolvers don't reply with the TTL as originally specified in the response from the authoritative DNS server (i.e. what the guy who set up the domain specified) - they respond with the time remaining until the record expires from their cache.
      
      Your 4 queries ended up at 4 different servers. Google's DNS servers exist at multiple locations with the same IP address - this is what's known as anycast instancse. Each anycast instance then consists of multiple actual servers behind a load balancer. The load balancer just picked a server at random for each of your queries. Nothing mystical about any of this - everyone big does the same thing in almost exactly the same way, including the root servers.
      
      These 4 servers had cached the record (i.e. received a query for it when it wasn't cached and subsequently looked it up and stored the result in the cache) at different times. Hence different times remaining until expiration in their caches.
      
      7 0 Reply
2. Sunday 23rd October 2016 14:59 GMT Gary Bickford
  
  Re: Helpful Article
  
  > Hopefully, all DNS sites will start caching; I wish my computer would cache the IP address of sites I visit so that I wouldn't even notice a DNS failure - it could even warn me if an IP address changes, to help prevent IP spoofing.
  
  I have local DNS server running in cache mode on all my computers - desktops and servers. Theses are all Linux machines. IDK if Windows has that capability, but I think the default configuration for Ubuntu is to run bind as a caching DNS server if it is turned on. So then I have my net config is using 127.0.0.1 as the DNS source, and my bind configuration uses 8.8.8.8 plus another one.
  
  One additional benefit is that when I'm on a cable connection this bypasses the cable company's default DNS that it sets up in my cable modem's DHCP config, which they use for various nefarious purposes such as inserting their own ads in websites, selling my traffic info, and "fixing" domain name typos by routing to their own advertising sites. I've seen all of those tricks at various times when visiting people who use comcast or optimum.
  
  2 1 Reply
Friday 21st October 2016 20:00 GMT Scott 26

No irony at all...

... at an article about a DDOS attack that has twitter affected, with a twitter screenshot in it....

8 0 Reply
Friday 21st October 2016 20:08 GMT ma1010

ENOUGH!

You know, this is really enough of this crap. What's the point? It's like the assbags that went out and wrote viruses and sent them around to screw up computers of people they didn't even know. What was that for? And now why try to bugger up the whole Internet?

I'm not smart enough to figure out a solution (and there may not be one), but it seems to me that something should be possible.

Technically, we need some geniuses to figure out a way to trace this crap back to its source. Politically, we need international treaties which provide that anyone who screws up the Internet, regardless of where they are, will be arrested and tried for it. Once found guilty, give them a nice, LONG prison sentence. And maybe a permanent, non-dischargable judgment (for many millions) that follows them around for the rest of their life to make sure they're pauperized to the point they can't AFFORD a computer.

5 3 Reply
1. Friday 21st October 2016 20:21 GMT Mark 85
  
  Re: ENOUGH!
  
  You raise a good point with: "What's the point?". Perhaps a live fire test of the botnets? A warning? Not sure from here.
  
  With the IoT crap getting whipped into botnets, this could be a harbinger: "Remember this? we'll pay us or you're next."
  
  Or a state actor group flexing it's muscles as a warning....?
  
  I just don't think it's being done for fun.
  
  13 0 Reply
  1. Friday 21st October 2016 21:38 GMT Dan 55
    
    Re: ENOUGH!
    
    Or a state actor group flexing it's muscles as a warning....?
    
    Just after the big important IoT meeting in the US...
    
    2 0 Reply
2. Friday 21st October 2016 20:57 GMT Martin Summers
  
  Re: ENOUGH!
  
  Have you never watched films? There's always some evil dude who wants to destroy the planet in some way. It's an ego thing, nothing rational.
  
  6 0 Reply
  1. Friday 21st October 2016 21:03 GMT Martin-73
    
    Re: ENOUGH!
    
    The chap should be easy enough to track down. He'll be covered in long white persian cat hair
    
    9 0 Reply
    1. Monday 24th October 2016 11:44 GMT CrazyOldCatMan
      
      Re: ENOUGH!
      
      The chap should be easy enough to track down. He'll be covered in long white persian cat hair
      
      Phew! The only cats I have with white hair are all short-hairs. Maybe I'm only a little bit evil?
      
      1 0 Reply
  2. Friday 21st October 2016 22:16 GMT Haku
    
    Re: ENOUGH!
    
    "Have you never watched films?"
    
    I've heard of them. Doesn't Samuel L Jackson always play the black guy in those?
    
    9 0 Reply
3. Friday 21st October 2016 23:48 GMT Anonymous Coward
  
  Re: ENOUGH!
  
  Guess eventually the major internet companies or even government agencies will get proactive and start releasing bot-killers targeting vulnerable devices
  
  3 0 Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Other stories you might like

Feline firewall woke developer to declaw DDoS disaster

System alerts were pinging but cat had no way of knowing what was happening

Offbeat 15 Apr 2024 | 19

Row breaks out over true severity of two DNSSEC flaws

Updated Some of us would be happy being rated 7.5 out of 10, just sayin'

CSO 26 Mar 2024 | 11

Some 300,000 IPs vulnerable to this Loop DoS attack

Easy to exploit, not yet exploited, not widely patched – pick three

Research 24 Mar 2024 | 24

Nominet to restructure, slash jobs after losing 'major deal'

Prices also set to rise after being frozen since 2020

Networks 21 Mar 2024 | 37

French government sites disrupted by très grande DDoS

Russia and Sudan top the list of suspects

Public Sector 12 Mar 2024 | 7

Just one bad packet can bring down a vulnerable DNS server thanks to DNSSEC

Updated 'You don't have to do more than that to disconnect an entire network' El Reg told as patches emerge

Patches 13 Feb 2024 | 15

NKabuse backdoor harnesses blockchain brawn to hit several architectures

Novel malware adapts delivers DDoS attacks and provides RAT functionality

Research 15 Dec 2023 | 3

DDoS-like attack brought down OpenAI this week, not just its purported popularity

Plus: Lab launches dataset sharing initiative for its own benefit

AI + ML 9 Nov 2023 | 2

Inside Denmark’s hell week as critical infrastructure orgs faced cyberattacks

Zyxel zero days and nation-state actors (maybe) had a hand in the sector’s worst cybersecurity event on record

Cyber-crime 13 Nov 2023 | 38

HTTP/2 'Rapid Reset' zero-day exploited in biggest DDoS deluge seen yet

Botnet storm drowned last record with 398 million requests per second

CSO 10 Oct 2023 | 13

Huge DDoS attack against US financial institution thwarted

Akamai reckons traffic flood peaked at 55.1 million packets per second

Cyber-crime 11 Sep 2023 | 1

Mirai reloads exploit arsenal as botnet embarks on another expansion drive

With 13 new payloads it's the biggest update to the botnet in months

Research 10 Oct 2023 |

The Register Biting the hand that feeds IT

About Us

Our Websites

Your Privacy

Situation Publishing

Copyright. All rights reserved © 1998–2024