
Dyn, a major DNS provider, was hit with a massive DDoS attack on October 21, 2016. The attack was so severe that it caused widespread outages across the internet, affecting major websites like Twitter, Netflix, and Amazon.
The attack was carried out using a botnet of compromised internet of things (IoT) devices, including security cameras and routers. This type of botnet is particularly effective because it's difficult to identify and block the traffic coming from so many different sources.
The attackers used a technique called amplification to amplify the traffic coming from the botnet, making it even more difficult for Dyn to defend against. This amplification was achieved by exploiting a vulnerability in the NTP (Network Time Protocol) protocol.
The attack lasted for several hours, causing significant disruptions to internet services.
Explore further: Extensible Provisioning Protocol
What Happened
A sophisticated Distributed Denial of Service (DDoS) attack occurred on October 21, 2016.
Dyn was the victim of the attack, which impacted services and users across the internet. This happened because many companies used Dyn to host their DNS.
Attempts to access sites and services using domain names resolved by Dyn returned a DNS error.
The attackers used a Mirai botnet, involving tens of millions of IP addresses.
Dyn described the attack as highly distributed and sophisticated.
You might enjoy: Amazon Web Services
Causes and Contributing Factors
The DDoS attack on Dyn was a complex event with several contributing factors. A large botnet attack in waves targeted port 53, the port used by Dyn's servers to serve responses to DNS requests.
Dyn was one of the top DNS providers on the internet, and its services were used by many other companies. This made it a critical point of failure, impacting many companies that depended on a single DNS provider.
Companies that hadn't tested their DNS provider's failure scenario were caught off guard. They didn't know how to respond when Dyn's servers went down.
The Dyn incident highlighted the importance of testing DNS provider failure scenarios. It's essential to understand how your business will be affected and what steps to take in case of a disaster.
A key factor that exacerbated the impact of the attack was the compounding recursive DNS retry traffic it generated. This further overwhelmed Dyn's servers and made the situation worse.
The Time To Live (TTL) setting in the SOA record also played a role in the incident. Companies with low TTLs set for their DNS records were likely impacted more, as DNS servers cached their records for shorter periods.
Take a look at this: I D I O T
Impact and Affected Services
The DDoS attack on Dyn had a significant impact on the internet. Over 14,000 internet platforms stopped using Dyn as a DNS provider following the incident, representing 8% of the company's customer base.
Dyn faced substantial recovery expenses from the attack, including costs related to identifying the incident, mitigating its impact, and investigating the cause. The exact recovery expenses are unclear, but organizations spend an average of $2.5 million recovering from DDoS attacks.
The attack resulted in major disruptions for Dyn and the internet platforms it serviced, rendering these platforms temporarily unavailable. This was a significant issue, as DDoS attacks can cost as much as $22,000 per minute of downtime they cause.
Dyn was able to mitigate the incident within two hours, which is faster than the average time it takes to resolve a DDoS attack. However, the interruptions were still significant, and some customers no longer trusted Dyn to service their internet platforms after the attack.
You might enjoy: Dyn (company)
The affected services included a wide range of popular websites and platforms. Here are some of the notable ones:
- Airbnb
- Amazon.com
- Ancestry.com
- The A.V. Club
- BBC
- The Boston Globe
- Box
- Business Insider
- CNN
- Comcast
- CrunchBase
- DirecTV
- The Elder Scrolls Online
- Electronic Arts
- Etsy
- Evergreen ILS
- FiveThirtyEight
- Fox News
- The Guardian
- GitHub
- Grubhub
- HBO
- Heroku
- HostGator
- iHeartRadio
- Imgur
- Indiegogo
- Mashable
- National Hockey League
- Netflix
- The New York Times
- Overstock.com
- PayPal
- Pixlr
- PlayStation Network
- Qualtrics
- Quora
- Roblox
- Ruby Lane
- RuneScape
- SaneBox
- Seamless
- Second Life
- Shopify
- Slack
- SoundCloud
- Squarespace
- Spotify
- Starbucks
- Storify
- Swedish Civil Contingencies Agency
- Swedish Government
- Tumblr
- Twilio
- Verizon Communications
- Visa
- Vox Media
- Walgreens
- The Wall Street Journal
- Wikia
- Wired
- Wix.com
- WWE Network
- Xbox Live
- Yammer
- Yelp
- Zillow
Response and Retrospective
Dyn quickly put protective measures in place during the attack, and they're extending and scaling those measures aggressively.
The attacks exposed a significant vulnerability for companies relying on a single managed DNS provider - it's a single point of failure. This was especially evident for Dyn's customers, who were left without DNS services during the attack.
Dyn conducted a retrospective response to the attacks, including traffic-shaping, rebalancing, internal filtering, and scrubbing services. This shows the importance of having a plan in place for emergency situations.
Some companies simply switched to a different managed DNS provider, but this doesn't solve the underlying issue. To truly mitigate the risk, companies need to rely on multiple providers to eliminate the single point of failure.
Dyn has been actively discussing learnings and mitigation methods with internet infrastructure providers, which is a great step towards improving the overall resilience of the DNS system.
Suggestion: Microsoft Azure Services Appauthentication
About the Attack
The Mirai botnet was the culprit behind the massive DDoS attack on Dyn, which occurred on October 21, 2016. This attack was a significant event in the world of cybersecurity.
The botnet flooded the Dyn network with connections to the port 53, the network port used for DNS resolution, commonly called the DNS port. This led to a massive influx of traffic, with packet flow bursts 40 to 50 times higher than normal.
Dyn's own mitigation efforts, as well as those of upstream providers, prevented a significant portion of the traffic from reaching the company. However, the attack still caused substantial damage and disruptions.
At least two waves of attacks occurred, with the second wave being more globally diverse. Dyn was able to mitigate the attacks and restore service, but not before significant damage had been done.
The attack resulted in major disruptions for Dyn and the internet platforms it serviced, rendering these platforms temporarily unavailable. This downtime can be costly, with DDoS attacks costing as much as $22,000 per minute.
For another approach, see: Network Domain
Frequently Asked Questions
What is a DNS DDoS attack?
A DNS DDoS attack is a type of cyber attack that overwhelms a website's DNS servers with fake traffic, making it difficult for users to access the site. This malicious tactic disrupts online services and can have serious consequences for businesses and individuals.
What is the most famous DDoS attack?
The most famous DDoS attack is the Mirai Dyn DDoS Attack in 2016, which was a massive and highly publicized cyberattack that disrupted major internet services worldwide. This attack is often cited as one of the most significant DDoS attacks in history, highlighting the growing threat of DDoS attacks and the need for robust cybersecurity measures.
Featured Images: pexels.com


