In October 2016 there was a significant denial-of-service attack (DDoS) which took down Netflix, Reddit, Twitter and other big internet services. People noticed slow-loading pages, not being able to watch a favourite show, or even having their whole work day grind to a halt:
The whole internet is down, so I guess I'm calling a snow day 😭 no email, hangouts, calendar, flaky twitter.
— ashe dryden (@ashedryden) October 21, 2016
But a lot about this attack wasn’t new. And the big sites made a silly mistake that made it worse than it needed to be. We’ve seen a few attacks in 16 years of running a hosting company – here’s a few observations and pointers to help you plan for an attack, either as a target or as collateral damage.
Here are a few things we noticed that weren’t new, and some that were, about the large-scale 2016 attack:
Botnets aren’t new
Many blamed the treacherous internet of things: light bulbs, security cameras and toasters which let users control them over the internet. These are often built on hugely negligent software. These turncoat appliances become easy vehicles for attackers to commandeer. They become bots, lashed together into botnets under their owners’ noses. Each sends send a trickle of junk data towards the same target. When many thousands of them doing the same thing, the trickles become a flood as they converge on the target, taking it offline.
But Bytemark was dealing with the SQL Slammer worm in 2003 before our company was even a month old. Botnets were built from home PCs and internet servers which used to be much harder to secure. As a result, software vendors got wiser, faster, and started taking security updates seriously.
Now that regular computers are more secure, attackers picked the next lowest-hanging fruit – those internet-connected fridges and vacuum cleaners.
In the long run, I agree with Doug Winter that as small devices get more capable, the software update mechanisms are likely to mature, just as they did for PCs over the last 15 years (of course it might take another 5-10 years for that to happen). One way or another, attackers are always going to find new bots.
Being the biggest isn’t new
The internet’s capacity increases with demand. So just like traffic on a motorway that’s being widened, denial-of-service attacks will also keep in increasing in size if they’re going to be effective in shutting down sites.
Cybersecurity expert and journalist Brian Krebs’ site was attacked in September 2016 with 620Gbps – an attack claimed the crown of “biggest ever”. The next week French hosting provider OVH showed evidence of a 1000Gbps assault.
The October 2016 attack has since been reported as 1.2Tbps, making it the new “biggest ever”. But, it still seems pretty rash to assume that any attack represents a botnet’s full capacity. Security and cryptography expert Bruce Schneier suspects that this attack was a test run, part of someone’s reconnaissance.
In my own experience of fending off DDoS attacks in Bytemark’s network is that attackers don’t send more traffic than necessary to do the job. So if the attacker only needs to send 1Mbps of data to take down a site, that’s all they’ll use. If they only need one type of traffic, that’s all they’ll use. I’ve seen attacks react to a successful defence strategy within minutes, increasing in volume dramatically or changing attack strategy in order to send the defenders back to the drawing board.
Cutting off so many sites with one attack was new
Gizmodo reported that the attackers attacked “a major piece of the internet backbone”. That is true, but it was only against one company, Dyn.
Dyn provide DNS – the protocol that provides names for web sites. Their client list is an impressive mix of blue-chip companies and startups. Dyn’s own report calls them “the marquee brands of the internet”. But Dyn’s DNS services went down while they coped with this traffic, and therefore so did all their clients.
Sites that didn’t use Dyn didn’t go down.
And Dyn are one of many possible DNS providers. Many sites switched their service away from Dyn and came straight back up, like the UK government:
GOV.UK is now back online (we’ve moved from Dyn to another DNS provider). We’re helping other services to do the same.
— GDS (@GDSTeam) October 21, 2016
Dyn are clearly experts in DDoS mitigation, as they promise. Their technical team communicated well as they coped with this attack. But Dyn’s success makes them a central point of failure for the whole internet, and that makes them a big target.
Their failure made Dyn’s clients ditch them in favour of just moving out of the firing line.
This would have been a hard attack to execute
There are lots of quick ways to take down an unprepared website (which is most of them), but targeting DNS is not one of them. Unlike other internet protocols, DNS has built-in redundancy. It uses multiple servers, and multiple connection attempts to make sure that names work the way we expect. It works at a lower, simpler layer of communication – often one packet back & forth is all that it needs to work.
Therefore to break DNS, an attacker must split their firepower against multiple servers at once. They need to mount a volume-based attack so that no legitimate packets can get through to any server.
By contrast, a typical web server or firewall, the computers actually serving the website, can be brought down with a much lower volume of traffic.
So it feels like this attack was a showcase – any of Dyn’s clients could have been taken down through easier and cheaper means, but this attacker spotted the chaos they could cause by bringing Dyn down. It was meant to be noisy, and dramatic, and provoke a response.
What can you do to protect your site?
Unfortunately, attackers and defenders don’t share the information necessary for you to make a useful decision here – both their revenue streams depend on secrecy and bluff 😠
What you can prepare for – if you’re in control of your infrastructure – is unexpected success. That’s the day when your site’s popularity spikes, and because you’ve designed in performance as a feature of your site, you’ll find you’re ready to handle the more common denial-of-service attacks too. [when we’re helping our clients, the symptoms can be pretty similar]
Here’s what you should think about to solve both potential problems:
- Do better than Twitter and Github! Use more than one DNS provider so that you can cut off servers that stop working for any reason.
- Install varnish in front of your website because it can be configured to fend off many attacks without impacting your site.
- Make sure your site has an IPv6 address, as it often provides a separate route to your site when IPv4 is broken, at least for some of your users.
- Ask your hosting company when the last down time they had as a result of a DDoS, and how they cope with the situation. Ask what they’d do for you if you were targeted.
- Use a DDoS protection company as a last resort, not first, They will cope better than you (or your hosting company) could with huge attacks, but it’s clear they are magnets for abuse, and laboratories for attackers to fine-tune their technology. Stay clear until you know you need them, and pick a hosting company with experience of trouble.
As you might expect, if you’re using Bytemark’s cloud hosting and managed hosting services we’re in a great position to help you follow this advice 😀 But whichever way you go, if you’ve tuned for performance and know who’ll react when your site goes down, you’ll be back up a lot faster.