Dyn DNS provider suffers major DDoS attack

Oct 21, 2016 14:10 GMT  ·  By

A DDoS attack on Dyn, a major upstream DNS provider, has shut down a large chunk of the Internet for about two hours, rendering millions of sites inaccessible.

On the list of websites users reported as down, we list a few such as Twitter, Reddit, Yelp, Imgur, PayPal, Shopify, Soundcloud, Spotify, GitHub, Heroku, Etsy, Box, Weebly, Wix, Squarespace, CPAN, NPM, Basecamp, Twilio, Zoho, HBO, CNN, Starbucks, Yammer, and others.

Dyn says the attack started at 11:00 UTC. "This attack is mainly impacting US East and is impacting Managed DNS customers in this region," a Dyn spokesperson wrote in a service status report.

DDoS attack mitigated, for now

In a subsequent update, the company said the attack stopped at around 13:20 UTC. As we've seen with the attacks on VPS provider Linode in the past few months, attackers tend to launch quick DDoS bursts, and then come back with subsequent waves. Users should expect some sites to be inaccessible if future attacks hit Dyn again.

Last month, a massive 1.1 TB DDoS attack, powered by a botnet of IoT devices, hit French hosting company OVH. The attacks on Dyn don't necessarily have to be that large since Dyn is a key point in the Internet infrastructure, providing DNS services for many websites and large parts of the world.

Speculation, speculation

In the past few years, Dyn, together with Akamai and CloudFlare, has published statistics of how several oppressive regimes in certain nations block Internet access in their countries. A nation-backed attack isn't out of the question.

Infosec journalist Brian Krebs has another theory. He says the attacks are payback against Dyn researcher Doug Madory, who today presented a talk on DDoS attacks in Dallas, USA, at the North American Network Operators Group (NANOG). Madory helped Krebs investigate a company that had a history in hijacking Internet routes. The massive DDoS attacks that hit Krebs' website started after their joint investigation went public. According to Krebs, it's now Madory's turn.

Or, this could be one of those instances where threat groups are learning how to take down the Internet, or hacktivists showing support for Julian Assange, or New World Hackers showing off their new DDoS stresser service, which they re-launched today.

At the time of writing, the attack has been mitigated, and service has been restored.

[UPDATE: October 21 - 16:45 UTC]: As we predicted, the DDoS attack has returned as of 15:50 UTC.

[UPDATE: October 22]: After mitigating the second wave of attacks yesterday, Dyn is seeing new attacks today as well.