How to defend against DDoS attacks like the one on the Dyn DNS service

On October 21, 2016, the Dyn Managed DNS service experienced three DDoS attacks; two of these were successful at overwhelming the service and preventing access to major websites. While news reports focused on the attacks’ impact on Eastern U.S. websites, the second attack gave West Coast sites nearly as much trouble as it did Eastern web properties (scroll for Level3 outage map). 

The cause and effect of the Dyn attacks touched consumers and their devices. The terabytes of traffic from the Mirai IoT botnet, which included numerous smart home products kept consumers from using the many famed websites such as Netflix and Twitter that the attacks brought down.

With little likelihood that the industry will solve the IoT security dilemma any time soon and with IoT device sprawl inevitable at about 24 billion devices globally by 2020, there are ample resources for many larger IoT botnets that could do a great deal more harm.

ITPro looks at a couple of DNS DDoS prevention and mitigation strategies including external services that reroute and scrub traffic, and self-defending/self-healing networks.

Scrubbing out DDoS

Black hat hackers intend DDoS attacks to overwhelm enterprise websites and services with excessive traffic. You can contract scrubbing services to clean your traffic when you’re under siege. These services from ISPs and backbone providers route traffic intended for your servers through scrubbing facilities that examine the data and drop DDoS packets before sending the remaining, desirable traffic on to you. 

“DDoS scrubbing services primarily use commercial cloud-based solutions,” says Andrew Howard, CTO, Kudelski Security. These are the kinds of solutions that have sufficient resources to make such an approach work, given the size of the traffic and the scrubbing task.

You can buy services that run all the time or services that you turn up when you see DDoS attacks coming on. “With as-needed services, you’ll see a delay between the time when you come under attack and the time the mitigation starts—but we’re talking about a delay of minutes, not hours,” says Rachel Kartch, Researcher, CERT Division, Software Engineering Institute, Carnegie-Mellon University.

Always-on scrubbing services can introduce on-going latency, privacy issues (because the third-party service will always see the data), and false positives that sacrifice good traffic. In response, some providers offer hybrid scrubbing services. “Hybrid services include an always-on, on-premise scrubbing device and rerouting for traffic to scrubbing centers when you come under heavy attack,” says Kartch.

False positives—when the service identifies good traffic as though it was malicious—are more likely with some protocols when using these services. “A service is less likely to drop legitimate traffic in a TCP attack than in an ICMP- or UDP- based attack. For instance, a TCP SYN flood is pretty easy to identify and filter out,” says Kartch. 

In the attack on Dyn, criminal hackers interspersed malicious DNS requests among regular DNS traffic, making it harder to separate the good requests from the bad. “In such attacks, it may take more work to develop filters that accurately identify the attack traffic and pass only the legitimate traffic forward,” notes Kartch.

While scrubbing is very useful for enterprise websites that fall under attack, it is not typically a solution for the root of the issue. “Scrubbing would not protect dependencies such as DNS providers like Dyn or CDNs,” says Howard.

Self-defending networks

Self-defending or self-healing networks and systems can automatically adapt and change providers such as DNS during DDoS attacks, says Howard. When a DNS service or network provider fails due to a DDoS attack, the network or system can automatically switch over to another provider, where no attack is present.

“For this to work, the enterprise will need to have redundant DNS or network service providers in place, which can be costly,” says Howard. Because of interdependencies between DNS services and CDNs, the failure of a provider can still create some service interruptions even if you switch over to another service, according to Howard.  

Still, the self-healing network is a layer of DDoS protection worth considering. And if your DNS service uses self-defending networks, this can offer them protection, as well, according to Howard.