The East Coast was under siege on Friday morning from a large-scale distributed denial of service (DDoS) attack that brought down more than a dozen prominent websites, including Twitter, Spotify, Netflix, GitHub, Amazon and Reddit. The initial attack was followed later in the day by at least two more waves of attack.
The attack against Dyn DNS shuttered a number of widely used sites. Most have returned to normal as of noon EST, although Amazon said it was weakened by a “hostname” issue. It wasn’t clear whether that glitch was related to the DDoS attack that hit Dyn, a Manchester, N.H.-based internet performance management company that also offers domain registration services and email products.
The global denial-of-service attack on Dyn’s “Managed DNS” infrastructure was so impactful because it went after the basic internet architecture that ties all those sites together – the domain name system, or DNS, which redirects internet users from simple web addresses, such as amazon.com, to the companies’ actual web servers.
“Because DNS is vital to every person, business and website across the entire internet for system stability and performance, online businesses commonly outsource DNS management to third-party providers who have better and more reliable infrastructures to operate on behalf of their customers,” Jeremiah Grossman, chief of security strategy at SentinelOne, told SCMagazine.com on Friday.
Historically, he said, this has worked to everyone’s benefit. “However, what we’re now seeing is that in light of the way the infrastructure works in the security landscape, they are attractive targets for large-scale DDoS attacks – because if you take out one of these DNS service providers, you can disrupt a large number of popular online services, which is exactly what we’re seeing today.”
Given the drastic increase lately in the size and scope of DDOS attacks, Grossman said that DNS providers are scrambling to increase bandwidth capacity to withstand the latest attacks. That’s why we have these providers, he said. They do it so that the rest of us that use them don’t have to incur the cost of doing so.
“This is a reminder of how effective an attack on one can be an effective attack on many,” Intel Security CTO Steve Grobman, told SCMagazine.com on Friday. “DNS is one of those internet infrastructure capabilities upon which we all rely. An attacker seeking to disrupt services to multiple websites may be successful simply by hitting one service provider such as this, a DNS provider, or providers of multiple other internet infrastructure mechanisms.”
It’s also a reminder of the risk of relying on multi-tenant service providers, be they DNS or a variety of many other managed cloud service providers, Grobman added.
“Delegating service capabilities to such multi-tenant service providers has tremendous benefits over traditional architectures where you’re responsible for running your own capabilities,” Grobman said. “But it also means that if those services are targeted with attacks of significant scale, all tenant services relying on a provider could be impacted.”
Given how much of our connected world must increasingly rely upon such cloud service providers, we should expect more such disruptions, Grobman said. “We must place a premium on service providers that can present backup, failover and enhance security capabilities allowing them to sustain and deflect such attacks.”
“As these types of attacks continue to grow in size, frequency and complexity, we must ask ourselves, how can companies prepare for attacks of this astounding new scope and size?,” Steve McGregory, senior director of application and threat intelligence at Ixia, told SCMagazine.com on Friday. One solution he offered was that companies must test to prevent these attacks. “The size of these DDoS attacks have increased by exponential amounts due to the availability of IoT botnets, which are easily used to attack security cameras, routers, and other connected devices.”
The availability of these services and large-scale botnets-for-hire makes it relatively easy to launch an attack that can even disrupt the operations of large, robust public websites that are designed to handle high traffic volumes, McGregory said.
“Organizations can mitigate the impact of these attacks by reducing their attack surface – blocking web traffic from the large numbers of IP addresses that are known to be bot-infected, or are known sources of malware and DoS attacks,” he stated. “Using an appliance specifically for line-speed IP address filtering can deliver this protection by simply eliminating the malicious traffic, helping to keep resources running.”
DDoS is not a new form of attack in and of itself, but methods and strategies around DDoS continue to evolve in the form of larger and more orchestrated attacks, Paul Calatayud, CTO of FireMon, told SCMagazine.com. “Often, the measure of the level of sophistication of a DDoS attack comes in the form of measured throughput. The attack details are not known in this particular attack, but recent attacks against [security researcher Brian] Krebs are reported to be upwards of 620 Gbps. That is a tremendous amount of data coming at a target at once.”
What causes Calatayud to pause and reflect most in regard to this breaking news is that Dyn DNS is a DNS SaaS provider whose core job is to host and manage DNS services for its clients. “The impact and harm has a ripple effect attributed to the various clients Dyn services. As attackers evaluate their targets, and organizations run to the proverbial cloud for various reasons, it introduces interesting targets for the bad guys.”
So, what can be done? First, evaluating dependency on cloud providers remains a risk you cannot outsource, said Calatayud. “Begin to plan for situations where cyberattacks against you may never be directed at you, but rather organizations you come to rely upon.”
In the case of this attack and DNS, having a secondary DNS service operating at the same time may have mitigated the impact to organizations even when a primary provider goes down, Calatayud said. “Cloud governance becomes an element of a CISO security program.”
Will Gragido, director of advanced threat protection at Digital Guardian, agreed that DDoS attacks have become increasingly problematic over the last several years, particularly owing to the rise of botnets. “Organizations all over the world fall prey to them as do individuals,” he told SCMagazine.com on Friday. “In many instances, the underlying attack infrastructure is tied directly to botnets, a type of malicious code and content ecosystem family which the threat research and mitigation community has been attempting to mitigate globally for more than a decade.”
Further, with the advent of the internet of things, Gragido said the potential for a botmaster to expand their botnet’s size is now greater than ever before. “Increased size and diversity aids in not only allowing the botmaster to remain in business but also ensures that they are able to carry out their desired outcome when those resources are called upon to do so.”
Organizations, he added, need to consider mitigative solutions (services or point products) designed to provide protection against complex, volumetric DDoS attacks on a global basis in order to withstand such attacks.
While this particular attack may not have been motivated by extortion, a new model of ransom-based attacks – infrastructure ransom as a service (IRaaS) – could be on the horizon, motivated to pay off threats for fear of infrastructure-wide customer outages, Thomas Pore, director of IT at Plixer, told SCMagazine.com.
“An infrastructure outage, such as DNS, against a service provider impacting both the provider and customers may prompt a quick ransom payoff to avoid unwanted customer attrition or larger financial impact,” Pore said.
Should a provider come under attack, customers suffering from the extortion impact may start looking to move their services to another provider capable of mitigating the attacks, Pore said. “This prediction model could suggest a greater financial impact from customer attrition than paying off a few bitcoin to avoid the attack to begin with.”
Then what happens if these extortion attempts begin to arrive regularly? This may emerge into a new business model, with a consistent revenue stream, Pore said.
“Despite decades of facing outages due to malformed traffic and data flooding, websites remain highly vulnerable to legacy attack vectors,” Mike Ahmadi, global director – critical systems security at Synopsys, told SCMagazine on Friday. “Website providers need to constantly test their implementations with rigor in order to ensure that they can remain viable in an increasingly hostile environment.”
The avalanche of IoT devices has created an environment where software and implementation flaws can be exploited at previously unseen levels, effectively turning them into widely distributed information weapons, Ahmadi said, adding that what may have been adequate robustness in the past no longer holds true.
As with most software designs from the 1980s, security was generally not considered when creating DNS, Craig Young, security researcher at Tripwire, told SCMagazine.com. Rather, the infrastructure was originally designed for early networks like ARPANET to allow human-friendly names in place of traditional network addresses, Young pointed out. “Because the web is so dependent on this system, it becomes a very visible point of failure as is the case today with service provider Dyn. Without DNS, there is essentially no internet from the perspective of all but the most sophisticated users.”
Young hopes that service providers will take this as a cue that they need to distribute their DNS across multiple providers to avoid this as a single point of failure.
“They’re innovating,” Chase Cunningham, director of cyber operations at A10 Networks, told SCMagazine.com on Friday. “This is a new spin on an old attack, as the bad guys are finding new and innovative ways to cause further discontent.”
It was an interesting point to see that the bad guys are moving upstream for DDoS attacks on the DNS providers, instead of just on sites or applications, Cunningham said.
“Threat actors are leveraging unsecure IoT devices to launch some of history’s largest DDoS attacks,” said Cunningham. “The immediate solution is for manufacturers to eliminate the use of default or easy passwords to access and manage smart or connected devices.”
Consumer adoption will be tricky, he admitted, but this change is critical for the greater security of all. “This response will hinder many of the global botnets that are created and deployed for malicious use.”
One thing is certain, Plixer‘s Pore added, DDoS attacks are not going away anytime soon.