The Attack
According to Dyn, on October 21, 2016 a DDoS attack began at 7:00 a.m. (EDT) and was resolved by 9:20 a.m. However, a second attack was reported at 11:52 a.m. and Internet users began reporting difficulties accessing websites. A third attack began in the afternoon, after 4:00 p.m. At 6:11 p.m., Dyn reported that they had resolved the issue. New waves of attacks continue. Millions of domains and their associated services (websites, inbound/outbound email, VOIP/SIP services, and much more) were affected, such as Airbnb, Amazon.com, Netflix, Verizon Communications, Comcast, Fox, HBO, and more. see full list below
This attack is unique in that it hit an all-time new traffic high of 620gbps (gigabits per second). Prior attacks were more in the 500gbps range, but how many companies have even a 1 gigabit Internet connection much less 620gbps? The traffic alone would have halted operations at nearly every Fortune 500 in America if they were the target of such an attack. Then there’s the immense pressure of handling so many requests that is put on the clusters of servers at the receiving end.
Compound that with frustrated users resubmitted their Internet inquiries hoping to get their web browser to resolve the website they are trying to visit. At some point, the attack feeds itself. Another unique factor in this attack is that Internet of Things (IoT) devices, including Internet facing cameras, home routers, baby monitors and more were used as part of 10’s of millions of IP addresses who were infected, connected to a Mirai based bot network, and then used to attack Dyn’s network of servers.
In early October 2016, the source code for the Mirai bot network had been released to the public, which will make finding the perpetrator more difficult and attacks like this more common. Mirai not only facilitated this attack, it brute force attacks IoT devices in its spare time in order to break into and subvert the millions of devices on the Internet which are poorly guarded, rarely patched, and easy to commandeer with their often default or easy-to-guess passwords. And there’s a LOT of IoT devices out there: https://thingful.net/ and a lot of companies working on creating even more IoT devices: http://mattturck.com/wp-content/uploads/2016/03/Internet-of-Things-2016.png
Why Me?
The real story isn’t the glamorous titans of industry who were taken down in this attack. I think I can live a few hours without Netflix or Twitter; heck I might even enjoy it. But what about EVERYONE ELSE? Millions of domains I didn’t list were in this tsunami sized path of digital destruction and their businesses got CRUSHED. Hackers will always go after your weakest link. Your servers can’t scale to 1 billion connections? You’re down! It’s a 620gbps (6,200mbps) attack and you have a 100mbps circuit to the Internet? You’re down! Your DNS is hosted by you (gasp) or by someone who either doesn’t have anycast networking or doesn’t ALSO have a DDoS shield on top of that? You’re down! At dinCloud we know that you are only UP if EVERY SINGLE PIECE of the end to end architecture is SOLID. We’re fanatical about keeping you online. Is your current provider? How do you know? Can you even tour their datacenter? Talk to a knowledgeable certified engineer who built their backbones & datacenters? I doubt it. And yet DESPITE THE RISK almost every CIO reading this figures “oh they only go after the big guys, our company isn’t famous enough or big enough to get on any hacker’s radar”. Ah, think again. It’s your job on the line and the life of the business that all your coworkers depend on. Why not spend < $5,000 a month and KNOW you’ll survive? It’s a matter of time when your company is either attacked or just “collateral damage” in someone else’s vendetta. Think about it.
Who is Dyn?
2001: Dyn.com was founded and built it’s HQ in Manchester, NH, USA with EMEA HQ in Brighton, UK and AsiaPac HQ in Singapore. Dyn was created as a community-led student project by Jeremy Hitchcock, Tom Daly, Tim Wilde and Chris Reinhardt during their undergraduate studies at Worcester Polytechnic Institute. Originally, Dyn enabled students to access lab computers and print documents remotely. The project then moved towards domain name system (DNS) services. The first iteration was a free dynamic DNS service known as DynDNS. The project required $25,000 to stay open, and raised over $40,000. The donation based model continued until a premium service called the DynECT Platform became available in 2008.
2008: Premium DNS service DynECT launches.
2011: Dyn opened an office in London, UK – it eventually moved its EMEA headquarters to Brighton, UK. It was also in 2011 that Dyn opened its new Manchester, NH headquarters.
2012: Dyn completed a Series A round of venture capital funding totaling US$ 38 million from North Bridge Venture Partners. Prior to the investment from North Bridge, the company had been self-funded.
2013: Dyn launched its annual geek summer camp event, a business conference for the Internet performance industry.
2014: Dyn announced the discontinuation of its free hostname services effective May 7. In September 2014, Dyn launched Dyn Internet Intelligence, a SaaS-based product.
2016: In May, Dyn completed a Series B round of growth equity funding totaling US$ 50 million from Pamplona Capital Management. Dyn also launched its Platform for Internet Performance Management. By October, Dyn announced the appointment of Colin Doherty as the company’s Chief Executive Officer. Doherty joined Dyn after 10 years of holding CEO positions at software-defined networking (SDN) leader BTI Systems and DDoS & Security solutions provider Arbor Networks.
Continue to read about how we can help deal with DDoS in our other article, Dealing with DNS in the Era of DDoS.
Some of the notable domains affected include: Airbnb, Amazon.com, Ancestry.com, The A.V. Club, BBC, The Boston Globe, Box, Business Insider, CNN, Comcast, CrunchBase, DirecTV, The Elder Scrolls Online, Electronic Arts, Etsy, FiveThirtyEight, Fox News, The Guardian, GitHub, Grubhub, HBO, Heroku, HostGator, iHeartRadio, Imgur, Indiegogo, National Hockey League, Netflix, The New York Times, Okta, Overstock.com, PayPal, Pinterest, Pixlr, PlayStation Network, PingIdentity, Qualtrics, Quora, Reddit, Ruby Lane, RuneScape, SaneBox, Seamless, Shopify, Slack, SoundCloud, Squarespace, Spotify, Starbucks, Storify, Tumblr, Twilio, Twitter, Verizon Communications, Visa, Vox Media, Walgreens, The Wall Street Journal, Wikia, Wired, Wix.com, Yammer, Yelp, and Zillow.
