Security

The Dyn DNS DDoS Attack, and What to Do About It

In October 2016, Dyn, a major internet DNS service provider, was attacked.¬†Here’s more about it, and how to protect your network against similar attacks.

Last updated: September 15, 2025

An avatar of the author
BlueCat
Network server racks
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.

The article explains the October 21, 2016 DDoS attack on Dyn, where a Mirai-based IoT botnet flooded Dyn’s DNS servers with bogus requests, causing major Internet sites to become unreachable. It outlines why DNS is an attractive target—its trusting design from the 1980s, ease of embedding data via DNS tunneling, and general lack of monitoring by enterprises—leading to operational outages, data exfiltration risks, and invisible malicious activity. The piece recommends monitoring DNS query logs to gain visibility, detect tunneling and DDoS patterns, enforce security policies at DNS, and leverage existing DNS infrastructure (Adaptive DNS) to mitigate attacks and improve network safety.

How did the Mirai botnet make the Dyn DDoS attack possible and why were IoT devices involved?

The Mirai botnet compromised a large number of Internet of Things (IoT) devices by exploiting default passwords on popular devices and turning them into bots controlled by a command-and-control system. These non-traditional Internet-connected devices often lack traditional protections like client firewalls or anti-virus agents, making them easy to compromise. Once enlisted, the bots simultaneously sent massive volumes of invalid DNS queries to Dyn’s DNS servers, overwhelming their capacity and rendering the service unavailable to legitimate users.

Why is DNS particularly vulnerable to attacks such as DDoS and data exfiltration?

DNS was designed in the 1980s to be a fast, trusting protocol that responds to name-to-IP mapping requests, assuming queries are legitimate; that design makes it susceptible to resource-exhaustion attacks like floods of invalid or malformed requests. DNS also allows data to be embedded in queries—DNS tunneling—so attackers can compress and split sensitive data into query chunks and reconstruct it on a compromised server outside the network. Additionally, DNS is often treated as unmonitored infrastructure, and BlueCat research shows less than half of enterprises log DNS traffic, making misuse and attacks easier to hide.

What practical steps does the article recommend to protect networks against DNS-based threats?

The article recommends actively monitoring DNS query logs to gain visibility into all devices and their behavior, which enables detection of tunneling (patterns of rapid, large queries), DDoS attacks (massive traffic spikes from many clients), and malicious insider activity. It also advises adding security policies at the DNS layer to identify and block misuse, and emphasizes that DNS is an enforcement point and source of visibility already present in most networks. Finally, it suggests leveraging Adaptive DNS capabilities to better mitigate attacks and improve enterprise security.

The Dyn Attack Explained

On October 21 2016, Dyn, a major internet Domain Name System (DNS) service provider, was attacked.  This attack used a massive network of “bots” to flood Dyn’s DNS servers with bogus requests. This attack, known as a Distributed Denial of Service (DDoS) attack, rendered Dyn’s DNS servers unavailable for an extended period.  This meant that many of Dyn’s customers, including a lot of well-known Internet sites such as Amazon, HBO, Twitter, Starbucks, Spotify, and CNN could not be reached by their customers.

DDoS Dyn DNS using an IoT botnet

Perhaps the most interesting thing about this denial of service attack is that it was driven by compromising non-traditional internet-connected devices.  You’ve undoubtedly heard about the “Internet of Things” which is really just a catch-all for devices that connect to and use the Internet to function, but don’t use a traditional operating system to do so.  This is a problem for security teams, because they aren’t easily protected by traditional security technologies like client firewalls, or anti-virus agents. The attackers deployed a “Mirai botnet” to attack Dyn.  Mirai is a relatively simple piece of malware that uses default passwords for popular IoT devices to access them and turn them into bots that will execute instructions from a command and control system. In this case, the attacker sends invalid queries to Dyn’s DNS servers, all at once, to overload those systems and deny services to legitimate requesters.

How does DNS fit in?

Unfortunately, attacks against DNS are gaining popularity, for a number of reasons.  Firstly, DNS is inherently a trusting protocol. DNS is designed to quickly respond to requests to map a familiar domain name, like bluecatnetworks.com, into an IP address, which systems use to establish communications.  In essence, DNS is the phone book for the internet – put in a name and DNS will return the right number.  But when DNS was designed back in the 1980’s security was not a major concern, so it was assumed that all DNS queries would be legitimate, and DNS should do it’s best to answer them all.  What that means today is that DNS is vulnerable to all kinds of attacks that can drain resources from the servers that provide this valuable service. Invalid queries, floods of malformed requests, and other methods can be used to exhaust these systems and cause outages.

Secondly, it’s relatively simple to imbed data in DNS queries (this is called DNS Tunneling). This can be used to exfiltrate data from inside a company’s network to a bad actor outside.  If an attacker wants to transmit a spreadsheet full of credit card information, they can easily compress the file, split it into small chunks, and insert those chunks into a DNS query directed to a compromised DNS server.  On the server side, they simply re-construct the file from the pieces and voila – they have the credit card information.

Finally, DNS is an attractive attack target because it is largely unmonitored.  Most security and infrastructure teams consider DNS to be just internet infrastructure – “plumbing” – it serves its purpose quietly and well, so why bother watching it?  In fact, according to BlueCat’s research, less than half of enterprise organizations log DNS traffic, and even fewer proactively use the data. So why not use DNS for nefarious purposes?

How to Protect your Network

What should we do about it?  The easy answer is to start actually looking at the data.  Simply monitoring DNS query logs gives you visibility into everything on your network, and what those things are actually doing while they’re connected.  With that visibility, you can spot a large number of potential DNS attacks or misuses. What about DNS tunneling to exfiltrate data? It becomes clear when you see a pattern of queries in rapid succession with a large query size.  What about identifying DDoS attacks? Those are easy to see when a large number of clients show a massive spike in traffic that’s outside the expectations for those devices. Malicious insiders trying to access resources they shouldn’t?  Also simple to identify and block by adding security policies on top of your DNS servers.

DNS is a foundational service that’s used by just about every device that connects to a network.  It’s an ideal source of visibility into what’s really going on within an infrastructure, an enforcement point for your security policies, and a means to mitigate attacks against your network.  And the best part is that you already have the DNS infrastructure in place ! You just need to pay attention to it and use it in ways that you may not have considered before. BlueCat can help you unlock the power of Adaptive DNS and make your enterprise a safer place.

For more information on the cyber attack against Dyn, watch Andrew Wertkin, CTO at BlueCat, as he speaks with CBC’s Michael Serapio in Toronto regarding the implications of the cyberattack – and how your own device could have contributed to the mass outage.

Published in:

Security

Published on: November 1, 2016

An avatar of the author

BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.

Related content

Close-up of interlocked metal chain links symbolizing connected network objects and relationships in IPAM
Blog

How to map your network with user-defined links in Integrity X

Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.

Read more
Flock of geese flying in formation across a blue sky, framed by a pink graphic border, symbolizing coordinated network migrat
Blog

Automate your DDI modernization path by migrating with Micetro

Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.

Read more
Three armored figures walking toward a futuristic Las Vegas skyline with pyramids, glowing orb, and "Welcome to Fabulous Las
Blog

Your journey to intelligent NetOps begins at Cisco Live

Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.

Read more
Stacked colorful wooden directional arrows on a post by a calm seaside with distant hills and blue sky
Blog

Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)

Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.

Read more