Skip to content

500 Days Later : A Retrospective on the 2016 Dyn DDoS Attacks

Synopsis

NimbusDDOS takes a look back at the 2016 Dyn DDoS attacks, and using DNS data reveals that many high-profile organizations are still at risk
  • 32% of Nasdaq 100 companies have DNS configurations that would be susceptible to an event like the 2016 Dyn DDoS attacks.
  • Only 9% of Nasdaq 100 companies have implemented a multi-vendor anycast DNS infrastructure.

Background

On October 21st 2016, the Internet saw one of the most devastating DDoS attacks ever observed, targeting the DNS provider Dyn. As a large DNS provider, Dyn provides hostname to IP address mapping for many high-profile online businesses including at the time Netflix, Amazon, Reddit, Twitter, and countless others. The impact of the attack was so significant that it resulted in a formal response from the White House, and an investigation by the US Department of Homeland Security. The criminal investigation has yet to identify any alleged attackers, but various hacktivist groups including Anonymous, SpainSquad, and New World Hackers have claimed responsibility. Many of the details of the attack are still not publicly available, but details provided by Dyn indicated a massively distributed attack using a Mirai-style Internet of Things (IoT) botnet. The massive volume of TCP and UDP traffic targeting Dyn was enough to cause a global outage of their infrastructure, resulting in outages for all Dyn customers reliant on their infrastructure.

But why was this attack so devastating?

The simplistic answer is to point to Dyn's size as a leading DNS vendor, and conclude that any outage would naturally have widespread impact. Although true, the real answer is a bit more nuanced and relates more to the consolidation of the global DNS infrastructure and the overconfidence in those large vendors. Dyn provides a world-class DNS service, with a highly redundant, globally distributed, BGP anycast infrastructure. Over the last 15 years this high quality of service and perception as a bullet-proof DNS vendor attracted high-profile customers to Dyn and a handful of their competitors, concentrating the global DNS infrastructure. The remarkable performance and reliability of the platform allowed many customers to become overconfident, and ignore proper 2N design principles. When Dyn was attacked, customers who failed to have a redundant DNS infrastructure simply went offline.

Methodology

In early February 2018, NimbusDDOS undertook a survey of DNS configurations for the domain names associated with the Nasdaq 100 companies, and the Alexa US 50 list of most heavily visited websites. This survey attempted to discover the following configuration markers, and use them to estimate the number of at-risk organizations:
  • BGP anycast vendor count : BGP anycast is a routing method in which a single IP address can exist in multiple geographic locations. In highly resilient infrastructures, this is instrumental in distributing load geographically to scale capacity and mitigate against DDoS attacks. For counting purposes, each nameserver with a unique autonomous system (AS) that could be detected as using anycast was counted as a vendor. To determine anycast vs unicast, NimbusDDOS used a simple analysis of packet round trip times (RTT) from various geographic locations looking for inconsistencies that would exclude unicast. For instance if the RTT from a test node in Austin, TX is 2ms, and the RTT from a test node in London, UK is also 2ms, then unicast is excluded as no single geography could satisfy both RTT tests. Note that this testing method was also able to determine the number of anycast locations, but was excluded from the dataset to simplify the analysis. Further study in this area may provide additional granularity to the risk model.
  • Unicast location count : For nameservers that did not use anycast, the geographic location was determined using RTT estimation methods. Each unique geographic location was counted to get a rough estimate of how globally distributed the DNS infrastructure might be.
  • Self-Hosted architectures : Environments that appeared to be self-hosted by the organization were marked as such. This determination was made based upon whether the AS of the nameserver matched that of the company being surveyed.
Armed with the above data points, NimbusDDOS then sorted the configurations based upon common design approaches. Then each categorization was given a relative risk ranking based upon the following assumptions:
  • Assume that unicast configurations are more susceptible to DDoS attacks than anycast
  • Assume that more vendors increase resilience to DDoS attacks
  • Assume that self-hosted configurations are less resilient than those of an ISP or a vendor specializing in DNS services
This yielded the following risk categories (from highest to lowest risk):
  • Unicast-only & Self-Hosted : Typically organizations that run their own DNS servers located within their own data centers
  • Unicast-only : Typically organizations that have outsourced DNS operation to their upstream ISP(s)
  • Unicast & Single Anycast Vendor : Often a transition state for organizations implementing a dedicated DNS vendor
  • Single Anycast Vendor : Highly resilient to DDoS attacks, but lacking vendor diversity. These are the configurations that experienced outages during the Dyn attacks.
  • Multiple Anycast : The "gold standard" of reliability and resilience to DDoS attacks.

Results

Description Nasdaq 100 Alexa 50 US
Total Domains: 102 (100%) 50 (100%)
Self Hosted: 24 (24%) 13 (26%)
Unicast-only 42 (41%) 4 (8%)
Unicast-only & self hosted: 19 (19%) 2 (4%)
Unicast-only & self hosted locations > 2 7 (7%) 1 (2%)
Unicast-only & self hosted locations = 2 6 (6%) 1 (2%)
Unicast-only & self hosted locations = 1 6 (6%) 0 (0%)
Mix of unicast and anycast 18 (18%) 8 (16%)
Single anycast vendor 33 (32%) 19 (38%)
Multiple anycast vendors 9 (9%) 19 (38%)
Contain bad delegation 3 (3%) 0 (0%)

Observations

  • 32% of the Nasdaq 100 businesses and 38% of the Alexa 50 US organizations had DNS configurations analogous to those that were impacted during the 2016 Dyn attack.
  • 38% of the Alexa 50 US domains utilized multiple DNS anycast vendors, whereas only 9% of the Nasdaq 100 businesses did so.
  • 19% of the Nasdaq 100 businesses utilized a high-risk self-hosted unicast-only design.
  • Only 8% of the Alexa 50 US domains utilized a unicast-only DNS architecture.
  • Three of the businesses in the Nasdaq 100 had significant DNS delegation errors that could adversely effect performance during both normal operation and a DDoS attack.

Conclusions

The DNS survey performed by NimbusDDOS indicates that a substantial number of the Nasdaq 100 companies and the Alexa US top 50 sites have DNS configurations similar to those impacted by the 2016 Dyn DDoS attacks. These organizations may be susceptible to a large DDoS attack targeting the infrastructure of their sole DNS vendor. Although these large DNS vendors are highly resilient to outage, the 2016 Dyn DDoS attacks proved that even large vendors may be impacted by a large attack. Companies seeking to maximize their resilience to attack should confirm that proper vendor redundancy and diversity practices are followed for all critical outsourced services.

About NimbusDDOS

NimbusDDOS is the industry leader in vendor neutral DDoS preparedness services. Our extensive portfolio of DDoS testing, reconnaissance, training, and certification services allows companies to be proactive in their DDoS defenses. To speak with a DDoS expert call 800.674.DDOS or visit https://www.nimbusddos.com/