How Friday’s Massive DDoS Attack on the U.S. Happened

October 23, 2016 — by Daniel Smith6

main

DDoSSecurity

How Friday’s Massive DDoS Attack on the U.S. Happened

October 23, 2016 — by Daniel Smith6

On the morning of October 21st Dyn began to suffer from a denial of service (DoS) attack that interrupted their Managed DNS network. As a result, hundreds of thousands of websites became unreachable to most of the world including Amazon’s EC2 instances. This problem intensified later in the day when the attackers launched a second round of attacks against Dyn’s DNS system. Dyn’s mitigation of the attack can be viewed on RIPE’s website where a video illustrates the BGP switches.

amazon-status-update
Amazon status update from Dyn outage

Domain Name Servers (DNS) are like the phone books or roadmaps of the internet. These services maintain a directory of domain names and their corresponding IP address. It’s easier for humans to remember a domain name versus an IP address, so when a user types in Radware.com into their browser they are actually directed to 91.240.147.21.

Researchers have long warned about the risks of a vast majority of internet clients centralizing their networks by using a handful of DNS providers. Coupled with this problem are a large number of internet clients using only one DNS provider for both their primary and secondary DNS. When DynDNS went under attack, those that did not use redundant DNS services found service unavailable and users unable to reach their website.

This is not the first time a DNS service provider has been targeted. On May 16th NS1’s Managed DNS network fell victim to a similar attack. Over the course of the week, NS1 sustained multiple DDoS attacks ranging from simple volumetric attacks to malicious direct DNS queries and malformed packets. This attack was reported to be broadly sourced queries for real customer domains and variations, thus making detection and mitigation much more difficult.

[You might also like: At Risk for DDoS Outages? If You Answer Yes to the First Five Questions, Watch Out!]

A DNS flood is a UDP flood in which an attacker targets one or more DNS resolvers. DNS floods are a symmetrical attack that attempts to exhaust a server’s resources, memory or CPU, with floods of UDP requests. The attacker sends crafted UDP traffic for name resolution. By sending a massive number of requests to the targeted DNS server, an attacker can consume the service’s resources, resulting in service degradation for legitimate requests.

These attacks are not targeted at the customers on the network, but the DNS provider themselves. Attackers attempt to exhaust network resources by flooding the DNS providers with junk DNS queries. DNS servers are a roadmap to the internet and help users find the websites they are looking for. When an attacker ties up all of the DNS’s resources, legitimate clients are unable to resolve their request.

DNS service providers see a massive amount of traffic every day and can easily handle multiple 20-60 Gbps attacks at a time. When attack traffic grows beyond 600Gbps the neighborhood starts to shake, resulting in a resource exhaustion which leads to service degradation. Attacks over 1Tbps pose an even bigger threat. These attacks are so large that some parts of the network infrastructure can’t handle the traffic and end up null routing the target to prevent further outages. Internet of Things (IoT) botnets are leading the way into this new unmitigated territory.

Behind these massive DDoS attacks are infected IoT devices. Both Flashpoint and Level3 were able to identify and confirm that some of the infrastructure used in the denial of service attack against Dyn DNS were botnets associated with the Mirai malware. The Mirai botnet rose to fame during the attacks on Brian Krebs and OVH earlier this month, where attack sizes reached a record breaking 1.1Tbps. Shortly after the attack, a user on HackForums, Anna_Senpai, released the source code for the Mirai botnet. Since then a number of attackers have modified and deployed the botnet for themselves. At the moment, Radware has not been able to locate the Mirai botnet for rent but a quick glance at the Darknet marketplaces and you can find a number of other botnets for rent.

paypal-switches-dns

PayPal switches DNS during the Dyn Attack

Mirai and a number of other malware variants targeting IoT devices are leveraging default passwords to infect these devices. Attackers are scanning the internet looking for devices that ship with default credentials that are easily brute-forced. Attackers can quickly enlist over 100,000 devices in just a day due to aggressive scanning, resulting in massive botnets that are always online.

[You might also like: DNS and DNS Attacks]

ea-support-tweet

EA Support announces issues related to DynDNS

Attackers are targeting DNS service providers in an attempt to destabilize the internet by targeting DNS, CDNs and other network infrastructure. At the moment it’s unclear who is actually behind the attacks, but one thing is clear, internet clients need to practice better DNS management and egress filtering of port 53.

Many have already speculated on who is behind the attack, ranging from Russia, China, to Anonymous and Anna_Senpai. With the elections quickly approaching, most are leaning towards the Russians but this does not fit the patterns of a nation state attack. This attack doesn’t fit the MO of Anonymous either. Normally Anonymous will announce campaigns ahead of time, giving them a chance to publish their target list and coordinate attacks. Anonymous only opportunistically claimed credit for this attack between the first and second wave, citing payback for Julian Assange’s internet outage.

It’s expected that this attacker will continue to test the limits on DNS and the internet infrastructure until the industry addresses and resolves these vulnerabilities related to DNS and IoT security.

Internet clients could have avoided the outage on the October 21st if they had used a 2nd party for their secondary DNS. Internet clients need to take the time to instill DNS management best practices and actively filter port 53 egress traffic.

Radware has received the DDoS Mitigation Product Line Strategy Leadership Award from Frost & Sullivan.

frost_sullivan_image

Read the research to understand how Radware’s portfolio, with essential network and web security solutions, provides a number of options to at-risk companies.

Download Now

Daniel Smith

Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.

6 comments

  • Pingback: How Friday’s Massive DDoS Attack on the U.S. Happened – Cyber Security

  • Pingback: Attaque DNS de vendredi : Le retour des objets connectés zombies | UnderNews

  • Bryan L

    October 24, 2016 at 9:36 pm

    Would this attack have been as bad if there were Radware equipment in place?

    Reply

    • Eric Henderson

      October 26, 2016 at 3:34 pm

      Bryan, no, I don’t believe it would have been nearly as bad.

      The key takeaway here is traditional approaches to DDoS protection were rendered useless against this new evolution of attacks last Friday. The release of Mirai malware marks a new era in DDoS attack technology, and as the attack technology is changing, then so must the defense.

      Whether using stateful devices with rate-based mitigation or manually black-holing IP addresses, these traditional tactics simply will not work against IoT botnets. Radware’s DefensePro is unique in that monitors traffic behavior, creates a baseline and then mitigates malicious traffic by identifying anomalies deviating from the previously defined traffic patterns.

      Reply

  • Larry R

    October 25, 2016 at 1:03 am

    There are a couple of issues with this.
    1. ISP control many of the DNS settings for their clients.
    2. If these are home or small business most of them have basic routers in place and not firewalls and they do not even know how to adjust setting on those firewalls.

    Reply

    • Daniel Smith

      October 26, 2016 at 3:41 pm

      These are great points, Larry.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *