Dyn, Inc. is toast. They created a central point of failure for the Internet. Major sites will stop using their services within hours.
Things need to get more distributed. Don't load Jquery from some central site. Don't load fonts from Google. Make sure your site will work if all the trackers and ad sites are not responding. Use multiple independent DNS providers.
It's also time for serious litigation. Find some vulnerable IoT device being used for the attack, and sue the retailer, distributor, and manufacturer for negligence. Junk IoT manufacturers need to feel fear.
We've reached the point where any clueless business type who pooh-poohs and wishes away security concerns needs to get the idiot bit flipped on them. Today's networked computing environment has reached the point, where this stuff is toxic. It might have been okay for a few isolated frontier weirdos to play with mercury to extract gold, but then when that became a full blown industry, it resulted in toxic consequences we are still dealing with over 150 years later. Maker hipsters playing with a few hardware hacks did little harm. Now that IoT is becoming household, the situation has changed in an analogous way.
Please. Dyn has performed pretty well in the past, and any other provider (be it UltraDNS, CloudFlare or anybody else) would be a single point of failure as well.
As you said, the only protection (somewhat) is to have redundant/multiple DNS providers. Doesn't mean Dyn can't be one of many.
Dyn is still one of the biggest and hardest to hit providers, so I'd be surprised if they're broadly abandoned. Redundant providers are pretty much the only fix available to users, but it's still sensible to be redundant via the the best providers out there, and that still means Dyn.
Yes, they did. But, depending on the details of the attack, I am not sure if any other provider could have withstood the attack without problems. In other words, I doubt there's a single provider/alternative.
Unless you have a good argument why they are less likely to stay up than the alternatives, I don't see how this would lead to their end. Unless you take it as an argument to abolish ALL DNS servers and start mailing host-files around...
People have been painfully reminded why using multiple providers is best practice, will re-evaluate if that's worth the expense and if yes add other servers. Dyn will easily survive unless some massive blunder is exposed in the aftermath.
Would anyone else have stayed up, though? This isn't just going to be a fear response, the risk assessment will be to ask "what could have prevented this?"
Lots of people will quit using Dyn as a sole DNS, but I don't see any reason they'll quit being involved in people's multiple DNS solutions.
Presumably about n-fold higher (marginally) than without redundancy. Not counting the cost of this sort of outage, which could swing the equation strongly in favor of nX
DDOS attacks are nothing new. The scale has increased over time, but DOS has been a constant issue for as long as people have been mad on the internet.
This attack is notable because it expsoes a single point of failure for a lot of popular sites. The long-term fix is to distribute that SPOF so it's not so tight a bottleneck. This is as easy as specifying nameservers from multiple providers, or as complex as a distributed DNS system such as namecoin.
The internet is a giant cascade of constant failures, and developing for it is an exercise in planning for failure. This isn't new - if it appears new, it's just that most engineers have done their jobs well. What will happen out of this is that the people trusting all their DNS traffic to Dyn will start trusting only half of it to Dyn, and the next time Dyn is knocked out, the people who have diversified against that contingency won't be practically affected.
They've been increasing steadily for decades. Today almost certainly isn't some new record-setting attack orders of magnitude beyond what's been seen before - it isn't the herald of a new age of attacks and the "beginning of a bleak future". Claiming such is just sensationalist garbage that belies a lack of understanding of the way the internet works and the history of DDOSes in general.
Spamhaus was historic in 2013 at 75GBPS. In 2014, Cloudflare mitigated a 400GBPS attack. The BBC attack earlier this year crested 600 GBPS. Last month, OVH was hit with a 1TBPS attack. Each of those was mind-bogglingly large at the time, and infrastructure has continued to evolve to deal with them. This attack isn't anything particularly different - it's just notable because it's visible, not because it happened.
The 2013 attack was <1% of total internet traffic for its duration. The 2014 Cloudflare hit was ~2.5% of all traffic. BBC was ~3%, and OVH was ~4%. (Interpolated from Cisco here: http://www.cisco.com/c/en/us/solutions/collateral/service-pr...) Most predictions suggest that IoT attacks will grow faster than what we've already seen, and a rough estimate suggests that DDoS capacity is growing faster than legitimate capacity.
None of that means today was orders of magnitude higher - the shock factor was that it exposed a structural weakness people hadn't accounted for. But I expect this to become an increasingly significant problem as capacity increases, and moreover as that capacity becomes available to more attackers.
I certainly expect it to become an increasingly-significant problem, as well. I don't mean to downplay the significance of the attack. But the lesson here isn't "welp, the bad guys have won, the internet is dead", it's "don't use one DNS provider, go redundant on it just like you do on every other piece of the stack". Yeah, it's annoying, but it's not an unsolvable problem.
The reporting on this has really annoyed me because the writers writing about it have pretty consistently said that GitHub, Twitter, PayPal, etc have all been knocked offline, which is just untrue. They have unresolvable names - resolve their names and they're working just fine. The fix is improved resilience in name resolution, and it's not a terribly hard fix. Someone in the other thread noted that PornHub is managing just fine despite using Dyn DNS - because they also route half their DNS traffic to UltraDNS.
Attacks like this are certainly a big problem, and are going to become a bigger problem, but IMO, the Chicken Little sky-is-falling hysteria is unwarranted and unuseful.
This is a great point, and I didn't mean to downplay it. As much as anything, I was interested because you offered a time/size progression of attacks and I saw a chance to study it against total traffic.
I've been really selective with the reporting I checked, and so most everything I've seen has been either BBC-bloodless ("these sites are inaccessible, because a DDoS attack happened"), or TheRegister-sophisticated (assumes the reader knows what DNS is). A quick look at what other people have been running explains your general sentiment. This isn't the end of the world, and running stories saying "IoT WILL KILL US ALL" isn't making anything better.
So fair enough: I think this is a serious issue, and today's events revealed that people haven't been properly prepared. But pitching it as something totally unpredictable is downright dishonest.
If your issue is with the sensationalist headline, I won't argue, but want to make sure to note that reporters almost never have any control whatsoever over the headline of their piece.
The visibility of the DDoS matters. It successfully took down parts of the internet used by the general consumer. An attack of that scale, that someone who has never heard of Spamhaus or Cloudflare actually noticed, is notable simply because it happened.
It seems like some eyeball and distribution networks should get together and run a private subset of the Internet, with good filtering (BCP38 style), etc. internally. You could get pretty good coverage with just ~10 eyeball networks in the US, a few cloud providers, and maybe some key infrastructure. Operate normally most of the time, but when under attack, be able to fall back to just vetted networks, transports, and routes, at least temporarily. Then have a limited number of hardened gateways, the way NIPRnet does with the civilian commercial Internet, which are used in intermediate-level attacks.
Opt-in, maybe have an association run it (like an IX, but without the expensive dinners and dues and general activism which inflates IX budgets), etc. This would do more for "critical infrastructure protection" than anything DHS/NSA/FBI have ever done.
So, these DDOS attacks take advantage of IoT devices so how would you tell the difference using vetting when they are on the same networks as regular users?
I would just ban the ips for 24hrs if I detect an IP that is part of a ddos. After that people will wise up and unplug their nanycam/toaster/iotwhatever
You're assuming that people will know or be able to guess what is compromised. Assuming multiple IOT devices the average user won't have any clue, and will think they just need to run antivirus on their Windows box.
Prune at the link level. Connect to people you trust to do so using a special community (or really, physical infra). It is ok if bank A to bank B communications get protected in a way which eliminates Bank A and Bank B connectivity to even 20% of legitimate end users in emergencies.
I thought it raises a few good points, even though it doesn't propose any solutions. The current sorry state of IoT security is something worth thinking about.
I'm kinda surprised at how bad the OSs deal with this. If you can't get a DNS lookup, would it be so crazy to use the last-known cached value for it?
There's no reason for a computer to not be able to find a site I've been visiting every day for the last year. DNS data should be cached for at least 48 hours -- TTLs should be set to at least this.
It occurred to me today that since certain sites have been down, it's forced me to use other sites which are still up. As if someone is forcing all my communication and activities to go through "approved" channels.
Things need to get more distributed. Don't load Jquery from some central site. Don't load fonts from Google. Make sure your site will work if all the trackers and ad sites are not responding. Use multiple independent DNS providers.
It's also time for serious litigation. Find some vulnerable IoT device being used for the attack, and sue the retailer, distributor, and manufacturer for negligence. Junk IoT manufacturers need to feel fear.