The east coast of the US was under siege on Friday morning from a large-scale distributed denial of service (DDoS) attack that brought down more than a dozen prominent websites, including Twitter, Spotify, Netflix, GitHub, Amazon and Reddit.
The initial attack, which was followed later in the day by at least two more waves of attack, also impacted Australian sites such as AAMI, ANZ, Woolworths and the Sydney Morning Herald.
The global attack against Dyn DNS shuttered a number of widely used sites. Most had returned to normal by noon, although Amazon said it was weakened by a "hostname" issue.
It wasn't clear whether that glitch was related to the DDoS attack that hit internet performance management company Dyn, which also offers domain registration services and email products.
The global denial-of-service attack on Dyn's “Managed DNS” infrastructure was so impactful because it went after the basic internet architecture that ties all those sites together – the domain name system, or DNS, which redirects internet users from simple web addresses, such as amazon.com, to the companies' actual web servers.
"Because DNS is vital to every person, business and website across the entire internet for system stability and performance, online businesses commonly outsource DNS management to third-party providers who have better and more reliable infrastructures to operate on behalf of their customers," said Jeremiah Grossman, chief of security strategy at end-point protection vendor SentinelOne.
Historically, Grossman said, this has worked to everyone's benefit. "However, what we're now seeing is that in light of the way the infrastructure works in the security landscape, they are attractive targets for large-scale DDoS attacks – because if you take out one of these DNS service providers, you can disrupt a large number of popular online services, which is exactly what we're seeing today."
Given the drastic increase lately in the size and scope of DDOS attacks, Grossman said that DNS providers are scrambling to increase bandwidth capacity to withstand the latest attacks. That's why we have these providers, he said. They do it so that the rest of us that use them don't have to incur the cost of doing so.
Digital performance monitoring company Dynatrace released a statement outlining impacts to Australia websites, including Coles, the Daily Telegraph, Ticketmaster and Westpac.
Dave Anderson, data expert at Dynatrace, said: "While not as severe as the US, Australian sites were definitely experiencing performance problems as a result of the DDoS attacks overnight.
"Of the sites we've monitored, we can see that the average DNS connect time spiked to about eight seconds, when normally it would average three milliseconds. It also looks like Australia was impacted by all three of the US attacks," said Anderson.
"While it's a bit unlucky for these Australian sites to have been hit, it's a wake-up call for everyone with an online presence. You're on 24 hours a day and these performance issues will be part of the daily digital life ongoing."
Effective attack vector
“This is a reminder of how effective an attack on one can be an effective attack on many," Intel Security CTO Steve Grobman, said on Friday.
"DNS is one of those internet infrastructure capabilities upon which we all rely. An attacker seeking to disrupt services to multiple websites may be successful simply by hitting one service provider such as this, a DNS provider, or providers of multiple other internet infrastructure mechanisms."
It's also a reminder of the risk of relying on multi-tenant service providers, be they DNS or a variety of many other managed cloud service providers, Grobman added.
"Delegating service capabilities to such multi-tenant service providers has tremendous benefits over traditional architectures where you're responsible for running your own capabilities," Grobman said. "But it also means that if those services are targeted with attacks of significant scale, all tenant services relying on a provider could be impacted."
Given how much of our connected world must increasingly rely upon such cloud service providers, we should expect more such disruptions, Grobman said. "We must place a premium on service providers that can present backup, failover and enhance security capabilities allowing them to sustain and deflect such attacks."
Steve McGregory, senior director of application and threat intelligence at Ixia, said: "As these types of attacks continue to grow in size, frequency and complexity, we must ask ourselves, how can companies prepare for attacks of this astounding new scope and size?”
One solution he offered was that companies must test to prevent these attacks. "The size of these DDoS attacks have increased by exponential amounts due to the availability of IoT botnets, which are easily used to attack security cameras, routers, and other connected devices."
The availability of these services and large-scale botnets-for-hire makes it relatively easy to launch an attack that can even disrupt the operations of large, robust public websites that are designed to handle high traffic volumes, McGregory said.
“Organisations can mitigate the impact of these attacks by reducing their attack surface – blocking web traffic from the large numbers of IP addresses that are known to be bot-infected, or are known sources of malware and DoS attacks," he stated. "Using an appliance specifically for line-speed IP address filtering can deliver this protection by simply eliminating the malicious traffic, helping to keep resources running.”
Next: DDoS gets more sophisticated