It’s apparently possible that a DDoS attack can be big enough to break the internet — or, as shown in the attack against ISP Dyn, at least break large parts of it.
The DDoS attack against Dyn that began Friday went far past taking down Dyn’s servers. Beyond the big-name outages, organizations could not access important corporate applications or perform critical business operations.
[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]
As one of the largest ISPs in the world, Dyn going offline took down a significant chunk of the DNS, the internet’s address directory. DNS lets users connect to websites and online services around the world using easy-to-remember addresses instead of the server’s numeric IP designation. Thus, when the servers are unavailable, internet users cannot access any of those belonging to organizations that are Dyn customers.
“Imagine all the street signs of your city suddenly goes blank. No one knows where to go,” said Marc Gaffan, general manager of Imperva Incapsula.
With DDoS attacks, the tendency is to focus on organizations directly affected. Thus, when hacktivists target financial services or gaming sites, the victims are those trying to access those applications. The information is intact, albeit temporarily unavailable.
With Dyn, however, the target was core internet infrastructure, which means any organization that relies on Dyn or works with a service provider dependent on Dyn is affected.
Attack on data availability
Information security has three core elements: confidentiality, integrity, and availability. While the focus tends to fall on keeping information safe and ensuring no one tampers with the data, the attack shows that “availability is just as important as the other two elements of information security,” said Justin Harvey, a security consultant to Gigamon, a network traffic monitoring company.
Sure, it’s a bad day for Dyn, trying to beat back the large volume of junk traffic pummeling its datacenter — as of Friday afternoon, the company was seeing a third wave of attacks — and it’s frustrating that users couldn’t get to the New York Times, Twitter, Pandora, Reddit, Pinterest, and so on.
But consider the plight of the IT administrator who has to explain to the rest of the organization certain corporate applications are unavailable because Okta, the service that handles authentication for those applications, is affected by the outage. Or the marketing teams that couldn’t do anything about the empty Twitter widgets on their sites.
Imagine the consternation at an e-commerce company when the Shopify apps aren’t working. Perhaps service representatives had to field complaints from customers who were unable to complete their purchases because the Shopify-powered shopping carts weren’t available or the entire storefront was loading slowly. The manager was unable to pull weekly sales reports from the dashboard, which would affect business decisions.
“It’s a network administrator’s nightmare. Everything is working just fine, but no one can find you,” Gaffan said.
All IT could do is sit and wait
When the attack is against core internet infrastructure like DNS, the collateral damage is huge. But as is usually the case with indirect victims, there isn’t much they could have done differently. With the growth in size, sophistication, and frequency of DDoS attacks, network administrators have been adding anti-DDoS defenses to their infrastructure. In this case, none of those measures would have helped (other than Dyn, and it’s a solid bet it had made significant investments in this area already) because the attack traffic didn’t hit their networks at all. Enterprises relying on SaaS apps had no choice but to sit and wait and hope their providers got back online as soon as possible.
From the SaaS providers’ perspective, their options are limited, since again, the attack is happening upstream. However, they may have been able to reduce the impact somewhat if they had multiple DNS providers.
Dyn’s domino effect
DNS works as a hierarchy. Servers query a DNS server for information regarding an address. If the server doesn’t know, the query gets passed on to a server higher in the chain and so forth until finally reaching the authoritative name server. Organizations frequently select name servers in different datacenters; if one datacenter becomes unavailable for whatever reason, the other one would seamlessly pick up the traffic. Dyn’s problems initially affected the East Coast of the United States, but the issues appeared to impact other areas throughout the course of the attack. Failing over to a different DNS provider gives organizations options, Imperva Incapsula’s Gaffan.
In every hierarchy, there is eventually a limit to how high you can go. Dyn is one of the largest ISPs, which means many smaller providers eventually feed into Dyn’s infrastructure. When attacks hit this high, there aren’t many alternate players to consider.
Organizations that had set a longer duration for the DNS record’s Time to Live (TTL) could have possibly seen less impact from Dyn’s outage than those with shorter cache periods. With a longer TTL, the various servers would have saved the DNS information locally and avoided going all the way to the authoritative name server for each query. DNS records with 24 hours TTL, for example, would have been cached for most of the attack and been available to users. Of course, there is a downside from having an overly lengthy TTL — administrators still have to figure out what makes the most sense for their networks.
DDoS attacks are no longer minor inconveniences, nor are they solely used by unsophisticated adversaries. As attackers harness botnets made of IoT devices or launch amplification attacks using NTP and other network protocols, these attacks will get bigger and more damaging. Experts have long warned that DNS is vulnerable to attack and needs better security. There must be a change in how DDoS attacks are viewed and an effort to solve the availability problem — it’s very likely attackers are going to use this tactic again in another assault on another day.