If you were online at all last Friday, you likely didn’t miss the massive outage that hit many big websites – and warnings about how this happened swiftly followed, not to mention advice on avoiding this kind of scenario in the future. And the biggest resultant pearl of wisdom security experts are currently preaching is: use multiple providers for DNS.
DNS or Domain Name System is, in basic terms, the system which routes traffic around the net, translating what’s typed into a browser (the URL) into the actual IP address required to ensure that the user gets to the correct web page.
Hence by hitting a major DNS provider, cybercriminals can take down multiple sites or services which use that firm – and this is what happened late last week, when DNS provider Dyn was hit by massive DDoS attack which affected a huge amount of big names including Twitter, Spotify, Netflix and Reddit.
So by using multiple DNS servers, you have some backup on hand. Dyn spoke out about this itself, and Kyle York, chief strategy officer for the company, told Reuters: “We have advocated for years for redundancy in your infrastructure. I don't think you can ever be safe enough or redundant enough.” He added that those who used multiple DNS servers saw a lesser impact during last Friday’s chaos.
In other words, it’s a case of the more providers the merrier when it comes to avoiding downtime, but the negative side of this, as Reuters notes, is the fact that juggling multiple DNS providers and managing traffic becomes a thornier (and more costly) issue.
Botnet blues
There are certainly other major issues here, though, and a big consideration is that last week’s major-scale DDoS attack leveraged a huge botnet of compromised devices to bombard Dyn, and as Barrett Lyon, a cyber-security expert Reuters spoke to, put it: “The internet wasn’t designed with these kinds of attacks in mind”.
As we noted in our previous report on this, while the perpetrator hasn’t been pinned down, at least a good part part of the firepower in this assault has been confirmed as being derived from the Mirai botnet, which is comprised of all manner of weakly defended Internet of Things devices (left on default password settings) including the likes of security cameras, DVRs and routers.
Said botnet has been used to mount some major hits in recent times including an attack on the Krebs on Security website which totalled 620Gbps, followed by a pair of simultaneous barrages of 799Gbps and 191Gbps which were suffered by French hosting company OVH.com.
The attack on Dyn began at just gone midday UK time on Friday, and continued, in somewhat on-and-off fashion, through to just after 23:00 – almost a full 12 hours of disruption, all told.
There is a worrying prospect of a future where such huge DDoS campaigns will be used in combination with blackmail, with a ransom being demanded for the attack to be lifted.
Of course, the real root of the problem lies in the compromised devices, and ensuring these aren’t left on default settings which can be easily hacked is obviously a key piece of the solution – it’s manufacturers of the relevant devices who really need to step up their security game.
