Enterprises going it alone against such an attack ‘would have been toast
The DDoS attacks that flooded Dyn last month and knocked some high-profile Web sites offline don’t mean businesses should abandon it or other DNS service providers, Gartner says.
It’s also the easiest way for an enterprise to defend against this type of attack and the only one known to be effective. “There’s nothing more elegant anyone has come up with in the intervening week,” he says.
The high-volume, high-velocity attack was based largely on a botnet backed by Mirai malware that finds and infects internet of things devices that are virtually defenseless against it. It has proven capable of DDoS traffic of 1Tbps or more and the source code has been made public, so experts say it’s certain there will be more such attacks.
Before the Dyn attacks, DNS services were considered vastly more reliable in-house DNS, and it still should be, Gill says. “If an enterprise had been hit with the volume Dyn was they would have been toast,” Gill says.
He says he has been briefed by Dyn about the Oct. 21-22 attacks, most of which he can’t discuss publicly. But he says those Dyn customers that recovered quickly were those who dual-sourced their DNS service. “A significant number of Dyn customers popped back up after 10 to 15 minutes,” he says, and likely they were the ones with more than one DNS provider.
Downsides of multiple providers is they represent an extra expense and not all providers offer exactly similar featuressuch as telemetry, local-based routing and fault tolerance. So switching from one to another in an emergency might be complicated and might mean winding up with a different set of features. Coordinating multiple providers is an added headache.
If cost is a concern, businesses could use a DNS provider like Amazon Web Service’s Route 53 that is inexpensive, relatively easy to set up and pay-as-you-go, he says.
Gill says the motivation for the attack is hard to know. Dyn was a very attractive target for many possible reasons. It had advertised its security, and that might have been considered a reason for a glory-seeking attacker to go after it and take it down.
A Dyn researcher delivered a paper on the links between DDoS mitigation firms and DDoS attacks the day before Dyn was hit, so perhaps the attack was revenge. Dyn has many high-profile customers, so perhaps the real target was one of them. It’s impossible to know for sure what the motive was.
Gill says Dyn has learned a great deal about how to successfully mitigate this new class of attack. In general, after such incidents, providers ally themselves with other providers to help identify and block malicious traffic at the edges between their networks. Attacks may result in identifying new profiles of attack traffic that make it easier to sort out bad from good in future incidents.