Today the web was broken by countless hacked devices – your 60-second summary

Re: Running your own DNS and using hosts files

Not really. You need a way to refresh the entries, which is why DNS is hierarchical. But I suspect the attackers will find a way to bring the entire Internet to its knees. Even if they have to attack 20 places at once, with a million devices to each one, they could still do it. What next? Carpet-IP-bombing by setting every pwned devices to flood the Internet with random honest-looking HTTP requests that can't be distinguished from real ones?

Give Musk some credit to that end.

Re: Remove SPOF

I consider "Zone Transfers" as a relic, frankly. What's wrong with pushing updates using a REST interface to each server that needs to publish the zone?

"All IoT devices MUST have open source software, must be update-able over the network, and perform the update from secure servers, look for updates on a weekly basis. All above and future problems solved. Don't adhere to this, don't get a license from FCC, EU etc"

The devices come from China and are imported direct. Who gives a damn? As for the update mechanism, they'll just hijack it and pwn it THAT way.

Re: "....big names including GitHub, Twitter, Reddit, Netflix, AirBnb ...."

For me it took out our company's website. Even the euro hosted version. The dyn servers in europe were hit hard too as my monitoring for europe website originates at only european locations.

Add to that our external notification system pager duty was hit hard too and unable to function. Was getting a lot of calls from them (automated) with no content others said they just heard the message "applocation error"

West coast US dyn was hit as i wqs quering west coast servers for pager duty dns but got no response.

Users couldn't login to datacenter vpn because well dns was out. I happened to be physically on site (one of two trips per year). Our chat app is slack and maybe coincidence but could not login to slack on my computer from our data center for 30mins it just hung with no error message.

Management is considering adding a 2nd dns provider I told them obviously if we do that than a 2nd CDN provider is needed and would be a good idea to have a 2nd external monitoring provider as well. All comes down to costs.

Dyn's track record is practically flawless over the past 15 years(I've been an enterprise dyn customer for 7 of those). They know what they are doing. Myself anyway has to cut them some slack. They do have a 15 second SLA though ddos may be an exception to it.

It's also obvious they will be doing tweaks to their strategy to help combat this better in the future, and obvious not to expect this can't happen again. Other than IoT botnets it's impressive to me dyn has lasted thisnlong without serious outages. Amazon became a dyn customer roughly 6 years ago after a massive ddos on ultra dns. (They still use both today though there are more dyn servers in their whois record than ultradns when I looked yesterday )

Fortunately at the end of the day the attack was little more than an annoyance for me personally. I am more facinated by the scale of this attack than anything else.

All in all dyn responded quite well. I have been involved in outages that have stretched more than 30 hours (and being awake on it the whole time). So I have battle scars and a few hrs of disruption doesn't make me blink anymore.

My org was involved in collateral damage from another round of ddos that targeted internap earlier in the year. That took probably 2 weeks before it was completely dealt with? That too was by far the biggest ddos impact i had seen from internap (who has a 100%uptime sla though ddos not covered) in being a customer for 10 years.

"Clearly there is no redundancy for Dyn"

Or Dyn has redundancy but the botnet was able to swamp the redundancy just as easily. Which would be even scarier as you're talking tsunami-type Internet flooding capable of swamping a provider who lives on mitigating swamping attacks. Like building for a once-in-a-century wave only to encounter a once-in-a-millennium wave.

Re: Education

That is the question that brings me back to ElReg. Unfortunately it appears there is no easy answer. Simply doing smart things like using script blockers and avoiding windows like the plague it won't fix IoT problems. It appears that, just like thermonuclear war, the only option is to not play the game. At least you know your vintage toaster isn't out to get you.

Re: Education

Fair question. Here's one answer. I'm sure knowledgeable people will chip in if I say something wrong ( https://meta.wikimedia.org/wiki/Cunningham%27s_Law ) .

Make sure your router has its firewall enabled.

Make sure that firewall is not allowing any incoming traffic.

Make sure your router is not supporting UPnP.

I would like to think that these are the default settings for any socially responsible router, but I fear that UPnP is probably enabled by default to enable attacks like we've just seen. (Oh, and also to enable world+wife to watch your webcam to see if you habitually pad about naken at home.)

Your router definitely should have these features. If you can't find the controls for them, get a new router. If you can't get a new router, get a new ISP. If you can't get a new ISP, move house.

Re: Maybe a sledgehammer approach is needed?

"If manufacturers are going to continue turning out IoT devices with little or no security to prevent them being used in these attacks, then ultimately they could be deemed a thread to the national security of many countries and should be treated as hostile."

Problem is China can fight back, and China has nukes...

Re: Maybe a sledgehammer approach is needed?

I know it isn't a real world solution but I'd love to see every infected device bricked. Since these device are already easy to access it should be fairly trivial to pop in and check for Mirai. Fry the device and let the owner try to get compensation from the manufacturer for selling a defective product.

Obviously this isn't a long term solution as the Black Hats would quickly work out the attack vector. At least millions of compromised devices would be permanently removed as a threat.

Re: Late news

New world hacking is the responsible agency, apparently

Re: ISP - do they have the tools...

Not really. Each individual contribution is not that big, so it's a form of "smurfing." It's only when taken as a whole that they're formidable. Like army ants and killer bees.