More than a Year After Dyn, Businesses are Still Vulnerable
The Dyn attack, one of the largest DDoS attacks ever seen, is back in the headlines after the three culprits pleaded guilty to creating the botnet which was used in an attack that crippled the internet throughout North America.
Before the attack, cybersecurity experts had long raised alarms that internet-of-things connected devices could be marshalled into a botnet army. But few foresaw that such an army would be turned towards DNS servers at Dyn with such devastating effect.
One year later, the majority of online businesses appear to still be vulnerable from the same attack.
One Year Later
One of the ways for website operators to protect themselves from this type of attack is to use more than one provider for DNS. When you set up DNS for your domain, you have the ability to specify the authoritative name servers for the domain–that is, which servers are the authoritative source of DNS for the domain.
After the Dyn attack, more companies began using secondary and tertiary DNS providers. I was curious how many companies had adopted this model. Using Alexa’s rankings of web traffic and page rankings, I pulled a list of the top 100 U.S. websites. I fed this list into a small script that I wrote to give me the authoritative name servers for each domain in the list.
What I found was that 64 of the top 100 websites still use only one DNS provider, including major companies directly affected by the Dyn attack. Quite often, that provider was Amazon.
In theory, Amazon has several advantages as a DNS provider. Amazon Web Services does more than $4 billion in business per quarter, and has the infrastructure to back it up. At the same time, most of its traffic is outbound. It certainly has the bandwidth to defend against inbound attacks. And yet, any network operator that takes the job seriously knows that a single provider is a single point of failure. It’s big, but still vulnerable. API attacks and human error resulting in cascading automated failures are concerns in large-scale networks.
What is the Best Solution?
This topic would be important to just a handful of IT security professionals if it was merely about DNS providers. All of us, from website operators to corporate network operators, and everyone in between must continue to think about the impact of availability in every aspect of their online presence, including DNS.
Having a second, or a third DNS provider could keep an e-commerce site up during an attack.
Many DNS companies spread their services across different Top Level Domains (TLDs) too, which protects against a root-level DNS outage or attacks against a particular TLD, like “.com,” “.net,” or “.org.”
And in the case of Amazon itself? Well, they do use diverse providers and none of them are their own DNS service.
Could it Happen Again?
The short answer is yes. Will it happen exactly the same way? Probably not.
Although the quantity of connected IoT devices continues to grow and the number of Mirai botnets continues to grow, those armies are now splintered. What was once a single botnet of 380,000 devices is now many botnets with much smaller botcounts.
What’s interesting about Mirai is that it’s incredibly versatile and customizable. Technically, the bots don’t have to be IoT devices. There was a Windows variant reported in the wild and if you’re like me, maybe you run the bot in your lab on top of traditional Linux.
There are also active Mirai bots that are actually powerful servers with big uplinks, rather than tiny, low powered devices sprinkled around the network. But there’s a broader story here. If website operators fail to take measures to fix known problems, then attackers, who have shown the means to evolve and integrate new tools, already have the upper hand.
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
By George Evans, CIO, Singing River Health System
By John Kamin, EVP and CIO, Old National Bancorp
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
By Gregory Morrison, SVP & CIO, Cox Enterprises
By Alberto Ruocco, CIO, American Electric Power
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
By Sergey Cherkasov, CIO, PhosAgro
By Pascal Becotte, MD-Global Supply Chain Practice for the...
By Stephen Caulfield, Executive Director, Global Field...
By Shamim Mohammad, SVP & CIO, CarMax
By Ronald Seymore, Managing Director, Enterprise Performance...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
By Jim Whitehurst, CEO, Red Hat
By Clark Golestani, EVP and CIO, Merck
By Scott Craig, Vice President of Product Marketing, Lexmark...
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
By Amit Bahree, Executive, Global Technology and Innovation,...
By Greg Tacchetti, CIO, State Auto Insurance