DNS provider Dyn was knocked offline for much of the day, causing disruption to several well-known SaaS applications and internet sites, including Amazon, Twitter, GitHub and The Boston Globe. The company later that day confirmed that the cause was a large DDoS attack, and that it was an internet of things (IoT) attack using the newly-discovered Mirai botnet.
The Imperva Incapsula product team has years of experience dealing with bots and DDoS attacks. Below is a summary of our relevant research and measurement.
We have been watching the growth of IoT botnets – what we call “the botnet of things (BoT)” since 2015, and were among the first to publish studies of botnets using home routers and CCTV cameras:
SOHO router botnet https://www.incapsula.com/blog/ddos-botnet-soho-router.html
CCTV botnet https://www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html
After the source code for the new Mirai botnet was released, our security team conducted a full analysis, including the location of the bots worldwide, types of attacks, and details on the malware code itself.
https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
Regarding the Dyn attack, here are comments from some of our team:
“The attack on Dyn is what is known as a Name Server DDoS attack, where attackers focus on the name servers to prevent web addresses from resolving. These can be accomplished using what are known as DNS floods against servers or by attacking the network infrastructure of DNS service providers. The attack is akin to cutting off the telephone network before an invasion to prevent communication.”
— Igal Zeifman, security evangelist at Imperva for the Incapsula product line.
“DNS infrastructure is a key component of making the internet work, and the large DNS providers have invested heavily in protecting their systems from such attacks. However, with the significant increase in attack sizes over the past 18 months, which now often surpassing bursts of half a Terabit per second, many infrastructure and SaaS providers are looking to beef up their overall capacity and DDoS mitigation measures.”
— Marc Gaffan, vice president and GM at Imperva for the Incapsula product line
“Imagine if all the street signs in the U.S. suddenly vanished. Those who know where they are going are fine – the roads (routes) are still there. Those who need signs to navigate by are lost and unable to reach their destination. If you know the TCP/IP address of the server you are trying to reach (e.g., 1.2.3.4) then you are fine; if you need to look up the TCP/IP address of randomsite.com, then you are unable to reach your destination.”
— Marc Gaffan, vice president and GM at Imperva for the Incapsula product line
DDoS educational assets:
1) The DDoS Underground video – explains attacks for the layperson http://embed.vidyard.com/share/TuyocDYeqvskTpWE7CNfxv
2) The Underground Bot Economy – explains how botnets work and who is behind them https://www.incapsula.com/blog/how-bots-impact-global-economy.html
FAQ on the Dyn Attack
- What was the attack?
- The attack on Dyn is what is known as a Name Server DDoS attack, where attackers focus on the name servers to prevent web addresses from resolving. These can be accomplished using what are known as DNS floods against servers or by attacking the network infrastructure of DNS service providers. The attack is akin to cutting off the telephone network before an invasion to prevent communication. For more information on Name Server DDoS attacks, please see https://www.incapsula.com/ddos/attack-glossary/dns-flood.html
- In relative terms, how large is this attack?
- We don’t know the exact size of the attack since we don’t protect Dyn. But given the size of Dyn’s network, we would estimate this in the large to very large range.
- What does such an attack expose about the vulnerability of the Internet and ISPs?
- The openness of the internet makes it vulnerable. The initial design intent was to create lookup servers that were accessible to anyone who wanted to find the address of a site or network. Attackers learned that they could flood these servers with traffic and make them unavailable, essentially cutting off access to sites listed in those servers. ISPs and other infrastructure services need to harden their DNS servers and make sure they have redundant servers or services for just these types of attack scenarios.
- Does it represent an on-going trend to attack key pieces of Internet infrastructure?
- Attacks on DNS servers are not a new. The most common, called “DNS floods,” have been around for years. We wrote about a similar attack on UltraDNS in 2014 https://www.incapsula.com/blog/massive-dns-ddos-flood.html
FAQ on Bots
- What is an internet bot?
- An internet bot is an application that’s designed to automatically perform a specific task on a website. The tasks are often relatively simple and usually repetitive. Bots are often programmed to perform these repetitive tasks at very high rates of speed.
- What are bots used for?
- Because of their ability to rapidly repeat a specific task, bots are used to do things at a scale that humans can’t or simply don’t want to do. Bots come in two varieties: Good and bad, with a few falling somewhere in between the two categories. Good bots are the bots that make the internet run. Bad bots are often used for devious purposes by mimicking human behavior.
- How common are bots?
- Internet bots are surprisingly common. In fact, the latest research says bots make up half of all internet activity. The internet as we know it wouldn’t function without bots. But there are an enormous number of bots that are up to no good. The latest research says that bad bots are 50% more common than good bots, and that bad bots make up almost 30% of all internet traffic.
- What are some examples of “good” bots?
- Good bots keep the internet running. The most common good bots are used to crawl the internet to index it. These good bots include the likes of bots from Google, Bing and Baidu that are used to index sites and make search engines run accurately. Other bots are used to keep sports scores and weather information updated. Some good bots are used to check that a site is up and running, or hasn’t slowed down because of overload.
- What are some of the “bad” bots?
- There are a wide variety of bad bots—most of which are designed to do something malicious. Scraping bots crawl websites just like good bots, but they are stealing information that ranges from original content to pricing to repost it somewhere else on the internet. Spam and email bots try to collect and post personal information without permission. Zombie bots try to take over PCs to use those machines as soldiers in spreading and controlling, even more, bots. Impersonator bots attempt to pollute the internet with fake social media posts. Spy bots are out to survey vulnerabilities in websites in order exploit them later. Other bots exist for the sole purpose of bringing a website down—these distributed denial of service or “DDoS” bots number in the millions and are controlled by networks of criminals.
- How can you tell: Bot or not?
- Fortunately, there is technology that can detect bots and then separate the good from the bad. You can tell a lot about a bot based on the neighborhood (or IP address) it comes from. The bot detection technology can also challenge a bot with simple tests that can separate human browsers from automated bots. The bot detection technology can also measure the order and frequency of a bot’s requests and look at browsing behavior to further separate human from machine, and good from bad.
- Can bad bots be controlled or eliminated?
- The same technology that’s used to detect bots often can limit a good or bad bot’s activity or to even eliminate a bad bot’s ability to get to onto a website in the first place.
[su_box title=”About Imperva” style=”noise” box_color=”#336588″][short_info id=’60217′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.