News
Dyn DDoS Cyber Attack - Infoblox comments & insights
October 2016 by Cherif Sleiman, Managing Director, Middle East & Africa at Infoblox
Early Friday, October 21, a massive Distributed Denial of Service (DDoS) attack began against Dyn, a New Hampshire-based company that hosts DNS zones for many companies. The DDoS attack used the Mirai botnet, which consists of thousands of compromised “Internet of Things” devices, including IP cameras and digital video recorders. The DDoS attack sent enormous volumes of traffic—most of it not DNS—to Dyn’s name servers, overwhelming them and rendering them unable to respond to legitimate queries. (A previous attack using the same botnet, against the web site krebsonsecurity.com, peaked at 620 Gbps.) The result was that many of Dyn’s customers were unreachable from the Internet, including high-profile companies such as Twitter, Amazon, Netflix and Reddit.
Providing insight into what enterprises in the Middle East can do to withstand such an attack, Cherif Sleiman, Managing Director, Middle East & Africa at Infoblox says, “Infoblox’s best practices recommend using a combination of on-premises appliances and a DNS hosting provider to support external authoritative name service. (RFC 2182, “Selection and Operation of Secondary DNS Servers,” makes similar recommendations.) A customer following this recommendation would have withstood the attack against Dyn, as their on-premises authoritative name servers would have been accessible throughout the attack. Recursive name servers on the Internet, many of which use the response times of authoritative name servers to select among them, would have quickly learned which of the customer’s name servers were responding, and would have begun to favor those.”
Can Infoblox Do Anything to Combat the Mirai Botnet? Yes. The source code for the malware behind the Mirai botnet recently became public—which may, in fact, be one of the reasons for the timing of the attack against Dyn. This also gave Infoblox the ability to determine the domain names of the command-and-control servers the botnet uses. We’ve added these to our Response Policy Zones, so Infoblox’s DNS Firewall customers with IoT devices targeted by Mirai are protected from having those devices controlled remotely. However, most of the IoT devices Mirai targets are deployed on home or small business networks.
