How Friday’s Massive DDoS Attack on the U.S. Happened
On the morning of October 21st Dyn began to suffer from a denial of service attack (DoS attack) that interrupted their Managed DNS network. As a result, hundreds of thousands of websites became unreachable to most of the world including Amazon’s EC2 instances. This problem intensified later in the day when the attackers launched a second round of attacks against Dyn’s DNS system. Dyn’s mitigation of the attack can be viewed on RIPE’s website where a video illustrates the BGP switches.
Amazon status update from Dyn outage
Domain Name Servers (DNS) are like the phone books or roadmaps of the internet. These services maintain a directory of domain names and their corresponding IP address. It’s easier for humans to remember a domain name versus an IP address, so when a user types in Radware.com into their browser they are actually directed to 22.214.171.124.
Researchers have long warned about the risks of a vast majority of internet clients centralizing their networks by using a handful of DNS providers. Coupled with this problem are a large number of internet clients using only one DNS provider for both their primary and secondary DNS. When DynDNS went under attack, those that did not use redundant DNS services found service unavailable and users unable to reach their website.
This is not the first time a DNS service provider has been targeted. On May 16th NS1’s Managed DNS network fell victim to a similar attack. Over the course of the week, NS1 sustained multiple DDoS attacks ranging from simple volumetric attacks to malicious direct DNS queries and malformed packets. This attack was reported to be broadly sourced queries for real customer domains and variations, thus making detection and DDoS mitigation much more difficult.
A DNS flood is a UDP flood in which an attacker targets one or more DNS resolvers. DNS floods are a symmetrical attack that attempts to exhaust a server’s resources, memory or CPU, with floods of UDP requests. The attacker sends crafted UDP traffic for name resolution. By sending a massive number of requests to the targeted DNS server, an attacker can consume the service’s resources, resulting in service degradation for legitimate requests.
These attacks are not targeted at the customers on the network, but the DNS provider themselves. Attackers attempt to exhaust network resources by flooding the DNS providers with junk DNS queries. DNS servers are a roadmap to the internet and help users find the websites they are looking for. When an attacker ties up all of the DNS’s resources, legitimate clients are unable to resolve their request.
DNS service providers see a massive amount of traffic every day and can easily handle multiple 20-60 Gbps attacks at a time. When attack traffic grows beyond 600Gbps the neighborhood starts to shake, resulting in a resource exhaustion which leads to service degradation. Attacks over 1Tbps pose an even bigger threat. These attacks are so large that some parts of the network infrastructure can’t handle the traffic and end up null routing the target to prevent further outages. Internet of Things (IoT) botnets are leading the way into this new unmitigated territory.
Behind these massive DDoS attacks are infected IoT devices. Both Flashpoint and Level3 were able to identify and confirm that some of the infrastructure used in the denial of service attack against Dyn DNS were botnets associated with the Mirai malware. The Mirai botnet rose to fame during the attacks on Brian Krebs and OVH earlier this month, where attack sizes reached a record breaking 1.1Tbps. Shortly after the attack, a user on HackForums, Anna_Senpai, released the source code for the Mirai botnet. Since then a number of attackers have modified and deployed the botnet for themselves. At the moment, Radware has not been able to locate the Mirai botnet for rent but a quick glance at the Darknet marketplaces and you can find a number of other botnets for rent.
PayPal switches DNS during the Dyn Attack
Mirai botnet and a number of other malware variants targeting IoT devices are leveraging default passwords to infect these devices. Attackers are scanning the internet looking for devices that ship with default credentials that are easily brute-forced. Attackers can quickly enlist over 100,000 devices in just a day due to aggressive scanning, resulting in massive botnets that are always online.
EA Support announces issues related to DynDNS
Attackers are targeting DNS service providers in an attempt to destabilize the internet by targeting DNS, CDNs and other network infrastructure. At the moment it’s unclear who is actually behind the attacks, but one thing is clear, internet clients need to practice better DNS management and egress filtering of port 53.
Many have already speculated on who is behind the attack, ranging from Russia, China, to Anonymous and Anna_Senpai. With the elections quickly approaching, most are leaning towards the Russians but this does not fit the patterns of a nation state attack. This attack doesn’t fit the MO of Anonymous either. Normally Anonymous will announce campaigns ahead of time, giving them a chance to publish their target list and coordinate attacks. Anonymous only opportunistically claimed credit for this attack between the first and second wave, citing payback for Julian Assange’s internet outage.
It’s expected that this attacker will continue to test the limits on DNS and the internet infrastructure until the industry addresses and resolves these vulnerabilities related to DNS and IoT security.
Internet clients could have avoided the outage on the October 21st if they had used a 2nd party for their secondary DNS. Internet clients need to take the time to instill DNS management best practices and actively filter port 53 egress traffic.
Radware has received the DDoS Mitigation Product Line Strategy Leadership Award from Frost & Sullivan.