Dyn DDOS Cyberattack – a case study
Aishwarya Sreekanth Prashant Sri Teemu Vartiainen
Aalto University Aalto University Aalto University
Abstract—The Dyn DDoS attack was one of the biggest
distributed denial of service attacks ever launched. The at-
tack affected the availability of major internet services. It was
launched by exploiting vulnerabilities in insecure Internet-of-
Things devices. The attack also used a strategy of launching many
different kinds of attacks at the same time by using hundreds of
thousands of source devices. There are many types of defenses
that could be used to mitigate against such attacks. However,
many of the mitigation strategies prove to be challenging to
implement. Hybrid solutions by multiple different organizations
are needed to secure the internet against such attacks.
Keywords—DDoS attack, Internet of things, cybersecurity
I. I NTRODUCTION
The Dyn attack, which took place on 21st October of 2016, Fig. 1. DNS attack mechanism
is one of the largest data breaches in history. This attack
overturned a large portion of the internet in the United States
and Europe and affected plenty of services. The source of the the Internet, preferably IoT devices. Upon successful infection,
attack was the Mirai botnet. This botnet is unlike other botnets, the bot gets registered to a Command and Control Server
consisting of so called Internet-of-Things (IoT) devices such as (C&C) which controls the botnet during attacks. Mirai malware
internet protocol (IP) cameras, printers, digital video recorders. exploits those network devices that authenticate using default
credentials. Recently, the source code of the Mirai malware
Dyn is an Internet Performance Management (IPM) com-
was also published in a public forum.
pany, who is believed to be a pioneer domain name system
(DNS) service provider. They also offer internet infrastructure
services and products such as monitoring and analytics, con- A. Attack Timeline
trol, online infrastructure optimization and e-mail. The first attack was staged between approximately 11:10
The objective of a Denial of Service (DoS) attack is to UTC to 13:20 UTC. Initially, a huge inclination in the band-
deny or disrupt authorized users from accessing a resource or width consumption was witnessed at various locations of Dyn
service. For this malicious activity, the attacker uses one bot DNS infrastructure, which imitated a situation like that of a
to flood the targeted victim or resource denying access to the DDoS attack. The Engineering and Operations team of Dyn
authorized users. In the case of Distributed Denial of Service implemented few mitigation protocols but the attack began to
(DDoS) attack thousands of bots are controlled by the attacker target the US-East region. This abrupt large volume of data was
to flood the targeted victim. originated from various source IP addresses and were destined
for destination port 53, where the data packets were composed
The sources from Dyn reported that the service provider of TCP and UDP packets.
experienced a Distributed Denial of Service (DDoS attack).
Mitigating DDoS attacks was common to the Network Oper- The next attack was carried out between 15:50 UTC and
ations Center (NOC) team of Dyn. However, the NOC team 17:00 UTC. Unlike the previous attempt, this attack was
could identify that this attack was unusual and bizarre. targeting almost all the available Managed Infrastructures of
Dyn around the globe. Though the second attempt consisted
of same set of attack vectors and protocols used during the
II. T HE CYBERATTACK first attack, it still managed to disrupt the functionalities of
Per the official analysis summary from Dyn [3], the DDoS the service provider despite the deployed incident response
attack on their DNS infrastructure happened on 21st October mechanism.
2016. Upon detailed analysis of the situation, this attack was
termed to be an advanced, well planned and complex attack. B. Attack Mechanism
And Dyn faced a series of DDoS attacks on the same day
within few hours. DNS protocol was used to perform the DDoS attack on the
DNS servers of the Dyn. The attack vectors used to perform
According to Dyn[3], Mirai botnets have contributed to a DDoS attack include recursive DNS query mechanism or
major volume of attack traffic. Mirai is a piece of malware DNS Waterfall Torture or authoritative DNS exhaustion attack
which infects and exploits the vulnerable network devices on [5][6][1]. Architecture of DNS server infrastructure consists
�of Recursive DNS resolver and Authoritative DNS resolver. A use. Some researchers have even suggested actively fighting
recursive DNS resolver receives the DNS query from the bot back against the botnets, by crashing the source devices or
to resolve a 12-digit pseudo random host from the domain of disabling the vulnerabilities remotely. [5]
the authoritative resolver. It is ensured that the recursive DNS
resolver fails to resolve the DNS record of random host, so To reduce these attacks globally there are a few measures.
that the query gets forwarded to the authoritative resolver, as The attacks could be identified by the internet backbone
seen in figure 1. This mechanism removes the protection of operators and cut from the system before they even reach the
caching layer from authoritative DNS resolvers [1]. The aim destination. The IoT devices itself could be proactively secured
of this attack vector is to forward exceptionally large amount against these attacks. [4] Using randomized default passwords
of DNS queries to the authoritative DNS resolver and exhaust alone could make a big difference.
the capacity of authoritative DNS resolver to resolve queries.
V. C HALLENGES IN MITIGATION
III. I MPACT There are several challenges to these mitigation strategies.
This DDoS attack affected the anycast servers of Dyn[5]. The DDoS traffic may be difficult to detect or defend against,
It also prevented the services for resolving legitimate DNS the IoT devices may have limited capabilities to support good
queries. It is estimated to have generated more than 40 to 50 security, and the global market does not have incentives for
times of the normal traffic volume and the expected number companies to fight these issues.
of involved botnets during the attack amounts to 100,000 The traffic in these DDoS, especially in the Mirai worm
[3]. Per a few reports, the total volume of data involved case, looks like ordinary traffic. Since Mirai launches several
during this attack is estimated to be 1.2Tbps. A few major types of attacks from multiple legitimate sources containing
US websites including Paypal, Spotify, Twitter and Amazon legitimate-looking traffic, it can be difficult to filter out or
faced connectivity issues. The various other web services of detect, without blocking normal legitimate traffic as well. [5]
companies such as BankWest, HSBC and Ticketmaster were Furthermore, since the attack consists of a wide variety of
also affected [8]. According to Bitsight [8], approximately 8 % different attacks on several endpoints, mitigating it would
of the Dyn DNS customer base terminated their contract after require several defenses built on top of all these endpoints.
the attack. In a similar manner, the sources of the attack are distributed
well, on hundreds of thousands of IoT devices, so they are
IV. M ITIGATION ACTIONS difficult to filter out.
There are three types of actions that can be used to mitigate Because of the use of cloud services, it is increasingly
attacks like the Dyn DDoS cyberattack: actions that a single difficult to block these attacks with hardware systems at the
defender can do to defend against a DDoS attack, actions that edge of the network, since such edge may not exist with cloud
can be done for the IoT devices, and actions that can be done systems used in conjunction with systems on premise. The
globally to reduce these types of attacks. situation requires protections that are moved further upstream
or into the cloud itself. The situation calls hybrid solutions
For a single defender, the most important countermeasure that are more challenging to set up and maintain. This requires
against these attacks is awareness. Organizations should know organizations to set up security strategies to cover themselves
that these types of threats exist, and what it means. The against these many types of attacks. In the end, it comes down
awareness seems to be increasing. [5] A DDoS attack is very to balancing risk against the cost. No security measure is
public in nature, since it attacks on the availability and tries impenetrable against all attacks, but increasing defenses works
to bring down service. Some other attacks may be stealthier as insurance protecting against potential attacks or turning the
and could go unnoticed, but a DDoS attack bringing down attacker looking for targets elsewhere. [5]
a service can hurt the reputation of an organization. When
an organization wants to increase their security against DDoS There are several challenges in securing IoT devices. They
attacks, several measures such as firewalls and antivirus must usually run on minimal hardware and stripped-down operating
be used. There are also DDoS protection services, hardware systems, so they may not have the capabilities to run sophis-
or software, that work on the edge of the network filtering out ticated security measures. In addition, if a vulnerability has
these types of attacks. been found, the user may not have any incentive to perform
an update. Furthermore, many devices may not have update
The types of attacks used in the Dyn DDoS case were capabilities at all. Similarly, the systems that all the IoT devices
not anything new. However, the use of IoT devices as a are connected to may not have the capabilities to monitor all
massive botnet platform was. Attackers can also use them as the traffic from all the devices. [2]
an entry point to get into the network and then move laterally
to other systems and machines. [2] Furthermore, because of In the current market, all the liability from these attacks
the massive usefulness of these devices, organizations cannot is on the victim. The cost of producing the attacks can be
just stop using them. Because of these reasons, organizations surprisingly small, especially since the tools like Mirai are out
need to start thinking differently about these devices. IoT in the open for anyone to get and use. However, defending
devices should be considered as computers part of the network against the attacks, buying services and hardware, as well as
like anything else. They should be monitored like any other dealing with the consequences, is expensive for the victim.
computers, and segmented away from sensitive systems. This Furthermore, there are ethical issues surrounding the defense.
means disconnecting any unnecessary connections to and from The attacker does not care about breaching the security of
these IoT devices to reduce the attack surface an attacker can a device, but what if a defender does the same when trying
�to defend against the attack? It is not clear who would be [6] Radware. DDoS Attacks on DNS Services. 2016. URL:
responsible for the damage for such hacking back [4]. https://security.radware.com/ddos-threats-attacks/threat-
advisories-attack-reports/dns-services-under-attack/.
In addition, there is no market incentive for ISPs and back-
[7] Bruce Schneier. Lessons From the Dyn DDoS Attack.
bone operators for preventing these kinds of attacks [7]. They 2016. URL: https : / / securityintelligence . com / lessons -
do not have anyone to bill after an attack has been avoided from-the-dyn-ddos-attack/.
or after preventative measures have been set up. Similarly, [8] Stephanie Weagle. Financial Impact of Mirai DDoS At-
the IoT device manufacturers do not have much incentive tack on Dyn Revealed in New Data. 2017. URL: https:
to spend time and money in improving the defenses of the //www.corero.com/blog/797-financial-impact-of-mirai-
devices. After an IoT device has been released to the market ddos-attack-on-dyn-revealed-in-new-data.html.
and sold there is little incentive on maintaining the firmware
or updating the security. This situation is unlikely to change
unless other driving forces like government enforcement are set
up. Governments could set up regulations to make sure device
manufacturers are held liable after their insecure devices are
used in an attack. Another possibility could be if other device
manufacturers started using security as a selling point. This
would start driving the sales of insecure devices down.
VI. C ONCLUSION
The Dyn DDoS attack did not consist of any mechanisms
that were groundbreaking in their nature. All the mechanisms
were well known and some of them very simple. However,
what was new was the way the Mirai worm combined multiple
attacks into one and infected hundreds of thousands of insecure
devices. This massive volume of the distributed attack was
unheard of.
Mitigating such attacks proves to be challenging. Because
of the large number of different kinds of attacks and the
massive number of source machines, hybrid solutions are
necessary from multiple stakeholders ranging from backbone
providers to lawmakers to device manufacturers. Thus, until
big changes in how the internet is set up and regulated
happen, service providers cannot count on the issue being fixed
from the outside. Instead, to prepare for these attacks each
service administrator needs an in-depth defense strategy that
is balanced to their own needs.
R EFERENCES
[1] Chris Baker. Recent IoT-based Attacks: What Is the
Impact On Managed DNS Operators? 2016. URL: http:
//dyn.com/blog/recent- iot- based- attacks- what- is- the-
impact-on-managed-dns-operators/.
[2] Nathaniel Gleicher. The Big Lesson We Must Learn
From The Dyn DDoS Attack. 2016. URL: http : / / www.
darkreading . com / endpoint / the - big - lesson - we - must -
learn-from-the-dyn-ddos-attack/a/d-id/1327432.
[3] Scott Hilton. Dyn Analysis Summary Of Friday October
21 Attack. 2016. URL: http://dyn.com/blog/dyn-analysis-
summary-of-friday-october-21-attack/.
[4] Kalev Leetaru. The Dyn DDOS Attack And The Changing
Balance Of Online Cyber Power. 2016. URL: https : / /
www.forbes.com/sites/kalevleetaru/2016/10/31/the-dyn-
ddos-attack-and-the-changing-balance-of-online-cyber-
power/.
[5] Steve Mansfield-Devine. “DDoS goes mainstream: how
headline-grabbing attacks could make this threat an or-
ganisation’s biggest nightmare”. In: Network Security
2016.11 (2016), pp. 7–13.
