On October 21, 2016, a series of three devastating and sweeping Distributed Denial of Service (DDoS) attacks were carried out in quick succession, targeting a Domain Name System (DNS) provider by the name of Dyn. At the time, the largest and most significant DDoS attack ever launched, the botnet-aided Dyn DDoS attack involved tens of millions of IP addresses and resulted in the temporary inaccessibility or service interruption of major websites including (but not limited to) Amazon, Airbnb, the BBC, CNN, Twitter, the Wall Street Journal, Xbox Live, and more.
The cyberattack was deemed so significant that the US Department of Homeland Security reportedly started an investigation into the attacks in their aftermath.
The Threat of a DDoS Attack
A DDoS attack works by bombarding target websites or online services with enormous amounts of fraudulent traffic to knock them offline or render them inaccessible to legitimate users. What made the Dyn attack different is that, rather than targeting just one website, such as Amazon or Airbnb, it instead went after a Domain Name System.
DNS is responsible for connecting an internet domain name (the web address that would be entered by the user, such as www.thisisadomainname.com) with the corresponding IP address (a series of numbers, divided by decimal points.) You can think of it as working a bit like an old-fashioned phone book that features both names and phone numbers.
When a DNS is targeted, as was the case with the Dyn DDoS attack, it cannot function correctly. The attack on Dyn used a malware called Mirai to create what is referred to as a botnet made up of thousands of devices connected to the internet. These were then used to launch an attack that, at its height, was sending a massive 1.2 terabytes per second of traffic at Dyn.
A Problem Yet to be Solved
Following any major attack, the players affected try to figure out what happened and make sure that it doesn’t happen again. However, while lessons have almost certainly been learned from the Dyn/Mirai DDoS attack of 2016, many of those same vulnerabilities continue to exist.
For starters, researchers from Carnegie Mellon University have found that the overwhelming majority of top websites (upward of 80%) still do not manage their own DNS service but rather rely on a third-party DNS provider. They also don’t have a provisioned backup for their DNS server, which can be used in the event that their DNS provider is temporarily put out of commission.
They additionally discovered that there is a high concentration of just a few providers in the DNS ecosystem who serve a large number of the top websites. This means that such providers — names like CloudFlare, AWS (Amazon Web Services), and GoDaddy — are responsible for ensuring the smooth running of a large part of the internet. The researchers concluded that a similar attack to the one that took place in 2016 would yield similar results in the present day.
Malware-based attacks such as Mirai are also still eminently possible. Botnets have become an increasingly feared presence in the world of online cyberattacks. In the case of Mirai, it worked by using malware to infect internet-connected devices such as DVRs, home routers, security cameras, and the like — and then harnessing these as Manchurian Candidate-type remote weapons with which to bombard targets with fake traffic.
Even half a decade on, poor security practices involving Internet of Things (IoT) devices means that a similar approach could be used to assemble a botnet for a similarly sized (or even larger) DDoS attack. The growing number of connected devices is only going to make this problem worse with time.
How to Defend Against Similar Attacks
Defending against DNS-targeting DDoS attacks is a “must” on the part of any company. The Dyn attack showed one-way businesses are vulnerable, even if they themselves are not the direct target of the DDoS attack in question.
One smart move companies or organizations can make to protect themselves better is employing a backup DNS provider. A backup, secondary, or alternative DNS features a copy of the zone data (the DNS records) of the main DNS server. In the event of an outage, such as the Dyn attack, it can mitigate outages by responding to requests even in the event that the primary DNS server is not working correctly.
It is also a brilliant move to employ anti-DDoS tools on an internal DNS server. Such protective measures safeguard your DNS server by functioning as the first destination for all incoming DNS queries. It will then prevent illegal DNS queries from ever reaching your server, along with masking it to protect against direct-to-IP network layer attacks.
DDoS attacks are nasty, regardless of what form they take. Time offline can be devastating for companies, resulting in significant damage and lost revenue. While such attacks have successfully taken down some giant websites, that’s not going to be much consolation for a business currently suffering the brunt of such an attack.
Fortunately, the tools are there to help protect you. It’s highly advisable that you make the most of them. After all, just because most websites are still vulnerable to a Dyn-style DDoS attack doesn’t mean you have to be among them.