31st October 2016 by GCI

A company called Dyn provides Domain Name Services to thousands of websites including many famous brands such as Netflix, Twitter, Spotify, Reddit, CNN, PayPal, Pinterest. Like many people I didn’t know this until a few days ago.

They have been in the press over the past week because they have suffered a Distributed Denial of Service (DDOS) attack which rendered many of their customers’ websites useless. The websites themselves were not attacked directly but the average internet users’ ability to connect to them was interfered with throughout the day because they provide the service that helps your browser work out how to get to the website you are requesting.

Initial reports indicate that their services received unsolicited traffic from ‘tens of millions’ of IP addresses with many of them believed to be from the so called Internet of Things. In other words our smart home devices such as fridges and central heating controllers! Because many of these devices connect to the internet and have been designed with little regard to security they are rich pickings for groups looking to control them remotely. In this case millions of them were used to send traffic to DYN’s servers and exhaust their resources.

At this stage we don’t know why someone chose to attack them; financial gain, activism, cyber vandalism? The list goes on and we can only speculate at this stage. In my experience the businesses that lost their ability to trade on that day will not waste too much time on the ‘Why’ and they will be looking at options to stop it happening again.  Prior to this incident the largest attack was attributed to over 150,000 devices generating almost 1Tbps*. The size of the botnets available to criminals looks to have grown from 150,000 to ‘tens of millions’** in the space of a month which is staggering.

Technology consulting firm Gartner projects that 6.4 billion connected things will be in use worldwide this year, up 30 percent from last year. And Gartner forecasts that number will grow by more than three times, to nearly 21 billion by the year 2020

Smart devices aren’t actually that smart. Many leave the factory with a default password that the end user does not get around to changing. And how many home users will ensure the devices are regularly patched against the steady flow of newly discovered security vulnerabilities?

Much debate has been generated around these attacks on what the victims or their providers should or should not have done. My take on this is that is actually doesn’t matter how sophisticated (relatively speaking) or how basic this attack was, the attackers had access to millions of devices that cumulatively had enough bandwidth to render many defence methods ineffective. What I mean in simple terms is that if someone can send more traffic to me than my internet connection can accept, my service is denied or at the very least massively degraded before any DDOS protection hosted my side is in play.

With attacks of this size becoming more regular the DDOS defences need to be upstream to ensure the traffic is scrubbed before it impacts the bandwidth of the intended target. It also needs to be able to cope with the thousands of other daily attacks that don’t make the headlines against other vectors such as the application layer.

Please get in touch if you would like to discuss our ideas and approach to mitigation of these risks.


* Octave Klaba, the founder and CTO of OVH, revealed via Twitter his company was hit with two simultaneous DDoS attacks whose combined bandwidth reached almost 1 Tbps.  //
** Announcement on Dyn company website //
Author: Mark Williams is Product Manager – Security at GCI