The Dyn DNS DDoS Attack, and What to Do About It

The Dyn Attack Explained

On October 21 2016, Dyn, a major internet Domain Name System (DNS) service provider, was attacked.  This attack used a massive network of “bots” to flood Dyn’s DNS servers with bogus requests. This attack, known as a Distributed Denial of Service (DDoS) attack, rendered Dyn’s DNS servers unavailable for an extended period.  This meant that many of Dyn’s customers, including a lot of well-known Internet sites such as Amazon, HBO, Twitter, Starbucks, Spotify, and CNN could not be reached by their customers.

DDoS Dyn DNS using an IoT botnet

Perhaps the most interesting thing about this denial of service attack is that it was driven by compromising non-traditional internet-connected devices.  You’ve undoubtedly heard about the “Internet of Things” which is really just a catch-all for devices that connect to and use the Internet to function, but don’t use a traditional operating system to do so.  This is a problem for security teams, because they aren’t easily protected by traditional security technologies like client firewalls, or anti-virus agents. The attackers deployed a “Mirai botnet” to attack Dyn.  Mirai is a relatively simple piece of malware that uses default passwords for popular IoT devices to access them and turn them into bots that will execute instructions from a command and control system. In this case, the attacker sends invalid queries to Dyn’s DNS servers, all at once, to overload those systems and deny services to legitimate requesters.

How does DNS fit in?

Unfortunately, attacks against DNS are gaining popularity, for a number of reasons.  Firstly, DNS is inherently a trusting protocol. DNS is designed to quickly respond to requests to map a familiar domain name, like bluecatnetworks.com, into an IP address, which systems use to establish communications.  In essence, DNS is the phone book for the internet – put in a name and DNS will return the right number.  But when DNS was designed back in the 1980’s security was not a major concern, so it was assumed that all DNS queries would be legitimate, and DNS should do it’s best to answer them all.  What that means today is that DNS is vulnerable to all kinds of attacks that can drain resources from the servers that provide this valuable service. Invalid queries, floods of malformed requests, and other methods can be used to exhaust these systems and cause outages.

Secondly, it’s relatively simple to imbed data in DNS queries (this is called DNS Tunneling). This can be used to exfiltrate data from inside a company’s network to a bad actor outside.  If an attacker wants to transmit a spreadsheet full of credit card information, they can easily compress the file, split it into small chunks, and insert those chunks into a DNS query directed to a compromised DNS server.  On the server side, they simply re-construct the file from the pieces and voila – they have the credit card information.

Finally, DNS is an attractive attack target because it is largely unmonitored.  Most security and infrastructure teams consider DNS to be just internet infrastructure – “plumbing” – it serves its purpose quietly and well, so why bother watching it?  In fact, according to BlueCat’s research, less than half of enterprise organizations log DNS traffic, and even fewer proactively use the data. So why not use DNS for nefarious purposes?

How to Protect your Network

What should we do about it?  The easy answer is to start actually looking at the data.  Simply monitoring DNS query logs gives you visibility into everything on your network, and what those things are actually doing while they’re connected.  With that visibility, you can spot a large number of potential DNS attacks or misuses. What about DNS tunneling to exfiltrate data? It becomes clear when you see a pattern of queries in rapid succession with a large query size.  What about identifying DDoS attacks? Those are easy to see when a large number of clients show a massive spike in traffic that’s outside the expectations for those devices. Malicious insiders trying to access resources they shouldn’t?  Also simple to identify and block by adding security policies on top of your DNS servers.

DNS is a foundational service that’s used by just about every device that connects to a network.  It’s an ideal source of visibility into what’s really going on within an infrastructure, an enforcement point for your security policies, and a means to mitigate attacks against your network.  And the best part is that you already have the DNS infrastructure in place ! You just need to pay attention to it and use it in ways that you may not have considered before. BlueCat can help you unlock the power of Adaptive DNS and make your enterprise a safer place.

For more information on the cyber attack against Dyn, watch Andrew Wertkin, CTO at BlueCat, as he speaks with CBC’s Michael Serapio in Toronto regarding the implications of the cyberattack – and how your own device could have contributed to the mass outage.