'Nice Internet You've Got There... You Wouldn't Want Something To Happen To It...'

from the this-is-no-longer-theoretical dept

Last month, we wrote about Bruce Schneier's warning that certain unknown parties were carefully testing ways to take down the internet. They were doing carefully configured DDoS attacks, testing core internet infrastructure, focusing on key DNS servers. And, of course, we've also been talking about the rise of truly massive DDoS attacks, thanks to poorly secured Internet of Things (IoT) devices, and ancient, unpatched bugs.

That all came to a head this morning when large chunks of the internet went down for about two hours, thanks to a massive DDoS attack targeting managed DNS provider Dyn. Most of the down sites are back (I'm still having trouble reaching Twitter), but it was pretty widespread, and lots of big name sites all went down. Just check out this screenshot from Downdetector showing the outages on a bunch of sites:
You'll see not all of them have downtime (and the big ISPs, as always, show lots of complaints about downtimes), but a ton of those sites show a giant spike in downtime for a few hours.

So, once again, we'd like to point out that this is as problem that the internet community needs to start solving now. There's been a theoretical threat for a while, but it's no longer so theoretical. Yes, some people point out that this is a difficult thing to deal with. If you're pointing people to websites, even if we were to move to a more distributed system, there are almost always some kinds of chokepoints, and those with malicious intent will always, eventually, target those chokepoints. But there has to be a better way -- because if there isn't, this kind of thing is going to become a lot worse.

Filed Under: attack, ddos, dns, internet, vulnerabilities
Companies: dyn


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    -dsr- (profile), 22 Oct 2016 @ 5:48am

    When you outsource to the cloud, you have a SPOF you can't see.

    Whether or not Dyn should have been able to withstand this DDOS, whether or not the DDOS should have been prevented, it's still a problem for all of Dyn's customers that decided that they didn't need any other DNS services because Dyn is the cloud.

    On the DNS customer side, there's no reason not to use multiple authoritative DNS providers, including running one yourself. The cleanest way of doing this is to run two or three widely separated DNS servers that only talk to your three DNS services. Even for huge zones, this is a cheap and idiot-resistant method.

    On the resolving side, there's no excuse for not having two or three nameservers listed on each of your computers. If you are small: one from your ISP, one from Google, one from any other service. If you are in any position to run caching DNS servers, do that as well.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.