Last week saw one of the largest DDoS attacks in history take down the DNS hosting service Dyn. 

DNS is the system which translates human-readable domain names such as “google.com" into machine usable IP addresses such as “74.125.200.139”.

Dyn offers general DNS hosting services as well as so called “Dynamic DNS” services where domain names point to frequently changing IPs belonging to private home networks or workstations.

It is important to note that the DDoS attack did not actually stop most of the affected services from operating. It merely made them unavailable to the average user. To borrow a metaphor, imagine a world where Google suddenly stopped working. The vast majority of users would not be able to access even the services they use regularly without using Google to look up the right URL, let alone find out where new services might be located.

Similarly, with parts of the DNS system unavailable, URLs typed into browsers could not be resolved into machine-usable IP addresses and the serves could thus not be reached.

As we warned in an earlier issue, attacks against central internet infrastructure such as the DNS system are bound to happen and escalate over time. We predict that ultimately this will lead to the replacement of currently central infrastructure with decentralized systems. However, no widely accepted distributed alternative to DNS exists at this point in time. For a system so critical to the operation of the internet, it will take some time to find a replacement even if the political will can be mustered.

Alas, the attack on Dyn does not seem to have the impact required to trigger such radical change.

What is notable about the attack is that it appears to originate from the so-called Mirai botnet. This botnet mainly targets insecure or poorly configured Internet of Things (IoT) devices such as smart locks, coffeemakers, cleaning robots, light bulbs or surveillance cameras.

Experts have warned against the dangers of poorly designed smart devices for almost a decade but it took until this year for the impacts to become obvious. Most IoT devices are designed by relatively small teams with more experience in lock-, camera- or coffeemaker-design than programming. These teams often lack dedicated security staff altogether.

After all, what is the worst that could happen with a hacked coffeemaker?

In a traditional sense, not much. The coffee maker does not store critical business or private information. Spilling coffee or leaking the favorite blend preferences of its owner is hardly the end of the world.

However, control over the coffeemaker nets the attacker something much more valuable: Access to the victim’s home-network. From there, other devices such as PCs and Smartphones can be attacked much more easily. Worse yet, the bandwidth of the household’s internet connection can be commandeered from the hacked device.

The Mirai botnet used this to its advantage. To block a DDoS attack, an identifying characteristic of the attack traffic such as a country of origin or previous malicious behavior has to be identified. Since the IP addresses from which the malicious traffic originated were spread across the globe and belonged to otherwise harmless individuals, it was virtually impossible for Dyn to block out the attack. 

We expect to see many more attacks like this in the near future. Organizations are advised to maintain internal DNS servers with a reasonable cache of previously requested records to ensure that operations can continue even in the event of a DNS outage.