If you were online last Friday, chances are you encountered a slowdown across the internet as a Distributed Denial of Services (DDoS) attack launched against Dyn, a company that manages domain registrations.

The attack, according to Dyn, enlisted “up to 100,000 malicious endpoints.” It slowed down access to many popular websites including Amazon, Twitter, Spotify, and more.

While research continues to determine who was behind the attack, Dyn says it happened across multiple vectors and internet locations. Dyn confirms a “significant volume of the attack traffic originated from Mirai-based botnets,” malware that facilitates large-scale network attacks like the one encountered last week.

Denial of service attacks typically occur when a single computer tries to consume the resources a target computing resource needs to perform its job. The malicious behaviors often seek to consume all available bandwidth, attack timing or session-based conditions, attack vulnerabilities in software that cause crashes, or consume so much processing power the target can no longer perform its function.

DDoS attacks enlist tens, hundreds, thousands, even millions or billions of devices as attackers. With the advent of Internet of Things (IoT) and existing low-security devices like VoIP phones, printers, DVRs, home routers, and other IP-connected devices, this creates a rich environment for unknowing targets to join the “bot army.”

Since DNS is part of the core infrastructure that makes the internet work the way we use it today, attacks like the Dyn DNS DDoS impact the entire internet.

A DDoS attack doesn’t just make it difficult to resolve a website’s hostname (the reason you may have timed out trying to access sites during the attack). Today’s applications dynamically load content from third-party sites using DNS to locate resources. This may include third-party javascripts, resource lookups, ad networks, or other capabilities that can impact a web application’s functionality.

Mobile apps consume APIs that use DNS to communicate with web services. Many security protections prohibit direct IP connections because this is frequently a sign of an attack. It also locks in specific IP communication in an ever changing IP system. When DNS fails, there is often no way to communicate.

DNS DDoS attacks primarily work in two ways (although there are others):

DNS Amplification

DDoS attackers can spoof a requesting IP for DNS resolution, which then results in a flood of responses directed to the intended target server. Although the target server never requested a lookup, it suddenly has to deal with a large volume of responses. To further amplify the attack, requests can use DNS protocol extensions or Domain Name System Security Extensions (DNSSEC) to increase the message size. That makes it even more difficult for the target to process the request.

DNS Flood

DDoS attackers use scripts to automate large numbers of queries to exhaust server resources. Since these are User Datagram Protocol (UDP) packets, they are easily spoofed and never need to rely on a response to consume the DNS server resources.

An alternate form of this attack is the NXDOMAIN attack, which intentionally creates malformed requests or requests for nonexistent resources. This makes the DNS server spend computing cycles on lookups that may never resolve or it fills the cache with bad data, preventing legitimate lookups.

It is currently unknown which technique attackers used in the recent Dyn DNS attack, but Mirai malware that created DDoS bots in recent attack against Brian Krebs (a security journalist and blogger), was likely involved in some of the hosts in this attack. This further showcases the need for enhanced IoT security because these devices are typically not designed for security and are frequently not updated when vulnerabilities are discovered.

So what can you do to protect your network? F5 Networks has robust DDoS protections:

  • Local Traffic Manager (LTM) and Advanced Firewall Manager (AFM) provide robust layer 3 and layer 4 protections
  • F5 DNS, previously known as Global Traffic Manager (GTM), can help mitigate DNS-based DDoS attacks by providing greater flexibility in request forwarding and caching, and is several times faster than a BIND server
  • Application Security Manager (ASM) can help with layer 7 attacks
  • The new F5 Hybrid DDoS Defender creates an integration with F5’s Silverline Content Delivery Network (CDN) scrubbing service to offload local DDoS conditions to the F5 Silverline cloud where a larger set of resources and purpose-built protections can help mitigate, or Silverline can be used as a standalone solution.

GuidePoint has several F5 Certified Technology Specialists available to help your team secure your environment from potential DDoS attacks. Our team can help you maximize your installs potential and secure your resources.

For more information about F5’s BIG-IP DNS solution, check out our previous blog.

Other hardware solutions are available from Radware, Arbor Networks, A10, Fortinet and others. They have comprehensive solutions for your organization’s data center as well.

DDoS is one of the primary use cases for cloud-based inline protections like Incapsula, Silverline, Akamai, Cloudflare, and others. GuidePoint Security’s technology professionals have extensive experience in DDoS attack prevention and CDN solutions.

If you’re a GuidePoint client and have questions about CDN solutions and how we can help, please reach out directly to your representative or email us at info@guidepointsecurity.com.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.