ISC Briefing: Large DDoS Attack Against Dyn

Published: 2016-10-23
Last Updated: 2016-10-23 17:39:46 UTC
by Johannes Ullrich (Version: 1)
7 comment(s)

Last Friday, a large DDoS attack against Dyn caused many popular websites to be unreachable. The outage was discussed on mainstream news outlets. It is likely that you will be asked to brief your boss or your team about this attack. To help you out, we prepared a brief presentation that you may use as part of such a briefing. We publish the slides and a video of the presentation for you to use. You may modify the slides at will (add/remove to them) . But please give us credit if you use any of the material.

If you have any feedback, please let us know. We may update the presentation later this evening based on any suggestions we receive.

Powerpoint Slides: https://isc.sans.edu/presentations/dyndnsattack.pptx

YouTube Video of Presentation: https://youtu.be/AsEzDXjyhG8

I hope you will find this useful.We also had a webcast about a week ago about the Mirai botnet. You can find this webcast here: https://www.sans.org/webcasts/103182

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

Keywords: dns dyn mirai
7 comment(s)

Comments

Johannes what does "Evaluate your dependency on DNS, specifically for your most critical domains" mean? The wording suggests using something other than DNS for name resolution. Workable for apps on mobile devices if I control the code (i.e. hardcoded IP addresses) but was that your intention? Or, did you mean to evaluate and consider using multiple DNS providers?
In some cases, business critical processes may not need DNS (but I admit, most will). Maybe a host file can be used as a workaround internally. IP addresses should never be hardcoded into code. That tends to create more problems then it solves. But a host file, or the ability to add specific zones to an internal DNS server, may be appropriate to mitigate an external DNS outage.
Unfortunately hosts files cannot scale for a company of even moderate size. While we were not directly affected, several critical vendors we work with many times a day were down. They had no website, no customer portals, no way to transfer files to them and they had no inbound email. They also had a "phone DDoS" because their account rep voicemail boxes were full as were cell phone voicemail boxes, undoubtedly because almost every customer they had was calling them.

And, of course, we were experiencing higher call volumes because our people could not get to their vendors. It always rolls downhill.
Instead of host files, adding respective entries to a recursive name server can scale a bit better. But either way, it will be uggly and often it just will not work. But the high call volume is a good point, and something to consider when you try to figure out the impact of a DNS outage. And VoIP may of course depend on DNS as well. (email delivery of voice messages will)
Thanks Johann, I understand what you were saying now.
One of the bullet points in Slide 7 - (How can we minimize the risk), states "This requires additional tools and setup to make sure information is sync’d across different providers".
What are these specific tools and setup exactly?
Minor typo on 2nd last slide: s/devises/devices/

Diary Archives