What’s new (and what’s not) about Friday’s DDoS

Last Friday’s denial-of-service attacks took down Netflix, Reddit, Twitter and other big internet services. You might have noticed slow-loading pages, or not being able to watch a favourite show, or even having your whole work day grind to a halt:

But a lot about this attack wasn’t new. And the big sites made a silly mistake that made it worse than it needed to be. We’ve seen a few attacks in 15 years of running a hosting company – here’s a few observations on what happened, and some pointers to help you plan for an attack, either as a target or as collateral damage.

Botnets aren’t new

talkie-toaster-series-iMany blamed the treacherous internet of things: light bulbs, security cameras and toasters which let users control them over the internet. These are often built on hugely negligent software. These turncoat appliances become easy vehicles for attackers to commandeer. They become bots, lashed together into botnets under their owners’ noses. Each sends send a trickle of junk data towards th
e same target. When many thousands of them doing the same thing, the trickles becomes a flood as they converge on the target, taking it offline.

But Bytemark was dealing with the SQL Slammer worm in 2003 before our company was even a month old. Botnets were built from home PCs and internet servers which used to be much harder to secure. As a result, software vendors got wiser, faster, and started taking security updates seriously.
Now that regular computers are more secure, attackers picked the next lowest-hanging fruit – those internet-connected fridges and vacuum cleaners.

In the long run I agree with Doug Winter that as small devices get more capable, the software update mechanisms are likely to mature, just as they did for PCs over the last 15 years (of course it might take another 5-10 years for that to happen). One way or another, attackers are always going to find new bots.

Being the biggest isn’t new

The internet’s capacity increases with demand. So just like traffic on a motorway that’s being widened, denial-of-service attacks will also keep in increasing in size if they’re going to be effective in shutting down sites.

Cybersecurity expert and journalist Brian Krebs’ site was attacked in September with 620Gbps – an attack claimed the crown of “biggest ever”. The next week French hosting provider OVH showed evidence of a 1000Gbps assault.

Nobody has yet put a figure to Friday’s attack, but my own experience of fending off DDoS attacks in Bytemark’s network is that attackers don’t send more traffic than necessary to do the job. So if the attacker only needs to send 1Mbps of data to take down a site, that’s all they’ll use. If they only need one type of traffic, that’s all they’ll use. I’ve seen attacks react to a successful defence strategy within minutes, increasing in volume dramatically or changing attack strategy in order to send the defenders back to the drawing board.

Even if this was the biggest the internet has seen in terms of volume, it seems pretty rash to assume that any attack represents a botnet’s full capacity. Security and cryptography expert Bruce Schneier suspects that this attack is a test run, part of someone’s reconnaissance.

Cutting off so many sites with one attack is new

Gizmodo reported that the attackers attacked “a major piece of the internet backbone”. That is true, but it was only against one company, Dyn.

Dyn provide DNS – the protocol that provides names for web sites. Their client list is an impressive mix of blue-chip companies and startups. Dyn’s own report calls them “the marquee brands of the internet”. But Dyn’s DNS services went down while they coped with this traffic, and therefore so did all their clients.

Sites that didn’t use Dyn didn’t go down.

And Dyn are one of many possible DNS providers. Many sites switched their service away from Dyn and came straight back up, like the UK government:

John Nagle on Hackernews (that Nagle) was keeping track of companies that ditched Dyn to get themselves back online.

Dyn are clearly experts in DDoS mitigation, as they promise. Their technical team communicated well as they coped with this attack. But Dyn’s success makes them a central point of failure for the whole internet, and that makes them a big target.

Their failure made Dyn’s clients ditch them in favour of just moving out of the firing line.

This would have been a hard attack to execute

There are lots of quick ways to take down an unprepared web site (which is most of them), but targeting DNS is not one of them. Unlike other internet protocols, DNS has built-in redundancy. It uses multiple servers, and multiple connection attempts to make sure that names work the way we expect. It works at a lower, simpler layer of communication – often one packet back & forth is all that it needs to work.

Therefore to break DNS, an attacker must split their firepower against multiple servers at once. They need to mount a volume-based attack, so that no legitimate packets can get through to any server.

By contrast a typical web server or firewall, the computers actually serving the web site, can be brought down with a much lower volume of traffic.

So it feels like this attack was a showcase – any of Dyn’s clients could have been taken down through easier and cheaper means, but this attacker spotted the chaos they could cause by bringing Dyn down. It was meant to be noisy, and dramatic, and provoke a response.

What can you do to protect your site?

Unfortunately attackers and defenders don’t share the information necessary for you to make a useful decision here – both their revenue streams depend on secrecy and bluff 😠

What you can prepare for – if you’re in control of your infrastructure – is unexpected success. That’s the day when your site’s popularity spikes, and because you’ve designed in performance as a feature of your site, you’ll find you’re ready to handle the more common denial-of-service attacks too. [when we’re helping our clients, the symptoms can be pretty similar]

Here’s what you should think about to solve both potential problems:

  • Do better than Twitter and Github! Use more than one DNS provider so that you can cut off servers that stop working for any reason.
  • Install varnish in front of your web site, because it can be configured to fend off many attacks without impacting your site.
  • Make sure your site has an IPv6 address, as it often provides a separate route to your site when IPv4 is broken, at least for some of your users.
  • Ask your hosting company when the last down time they had as a result of a DDoS, and how they cope with the situation. Ask what they’d do for you if you were targeted.
  • Use a DDoS protection company as a last resort, not first, They will cope better than you (or your hosting company) could with huge attacks, but it’s clear they are magnets for abuse, and laboratories for attackers to fine-tune their technology. Stay clear until you know you need them, and pick a hosting company with experience of trouble.

As you might expect, if you’re using Bytemark’s cloud hosting and managed hosting services we’re in a great position to help you follow this advice 😀 But whichever way you go, if you’ve tuned for performance and know who’ll react when your site goes down, you’ll be back up a lot faster.