As we reported yesterday, a not so insignificant portion of the internet was rendered inaccessible due to a DDOS attack against a company that many people may have never heard of prior to these events, this does beg the question as to why this can actually happen. While more details are coming to light in terms of what actually happened it will take time for a truly clear understanding of events; however, based on what we know to date we can start to at least provide an explanation for why an attack on a single company like this can have such a wide reaching impact.

fox-cyber

Hopefully we’ll help you understand it better than these fine gents. Source: Eric Geller

 

What is a DDoS?

DDOS is a term that is becoming much more commonly heard on various news reports, but what does it actually mean? DoS, or Denial of Service attacks are a method used by malicious third parties to essentially make a service inaccessible, prior to the internet this would have manifested in the form of people blockading access to a building or location in a city, though the term would never have been really used to describe this kind of activity, it is probably the most analogous to what a DoS actually is. The most commonly used method for DoS attacks is to simply flood a web server with more requests than it is able to cope with, causing the service to crash or lock up, preventing legitimate users from accessing the site. Of course, all of this is happening from a single computer on the internet, which means its impact can be mitigated by larger, more resilient services which are distributed over multiple services, meaning a simple DOS attack is a relatively uncommon phenomenon these days.

In place of a DoS attack is a DDoS, or rather a Distributed Denial of Service attack, unlike a DoS attack a DDoS will use a multitude of computers on the internet to generate the attack, making it much harder to withstand, since an attacker can theoretically just increase the number of compromised devices used in the attack until the server they are attacking is brought to a standstill. While rare, we are starting to see an increase in incredibly large DDoS attacks in the wild, such as the recent attack on security research site, Krebs on Security and data centre provider OVH, the latter of which was subjected to an attack that peaked at just over 1Tbps.

There are a multitude of reasons why someone may choose to initiate a DOS attack, be it simple malice, or potential financial gain, such as holding a site to ransom; they are oft also used as part of a diversionary tactic to keep the target companies staff busy while a real attack, usually in the form of some kind of systems hack occurs, as happened in October last year when UK ISP TalkTalk suffered a DDOS attack, while having customer data stolen.
Of course in order to carry out a DDos attack, the perpetrator needs access to a large number of devices on the internet, previously this would be based around compromised desktop PC’s belonging to a mix of users who have had the misfortune to have their machine infected by software used to help create what is known a botnet, a collection of machines all able to be used for a single purpose unbeknownst to their owners. As anti-virus protection improves and users become more savvy in terms of avoiding possible attack vectors used to try to infect machines, perpetrators have had to turn to other methods of generating this traffic such as insecure routers and IoT (Internet of Things) devices with weak or no security which are accessible on the wider internet, such as security cameras, PVRs, smart home devices and similar.

Due to the nature of DDoS attacks, they can be phenomenally hard to defend against. Ultimately companies exist that perform what is known as traffic mitigation, whereby they collect the data being sent to the target servers and perform analyses on the data being sent then try to strip out the bad data, just leaving genuine requests in place to be passed to the server in question, but as has been demonstrated by the attacks against Krebs on Security and OVH, people carrying out DDoS attacks can potentially bring significant amounts of traffic to bear, which can cause problems even for mitigation service providers over time. Add to this the distributed nature of a DDoS, meaning you have any number of IP addresses (Connection specific addresses that are unique to each internet connection) to have to try to contend with and suddenly the problem becomes much more difficult to handle, since simply blocking bad IP’s isn’t a solution due to the fact that the perpetrators could just bring more devices to bear on different connections with IP’s that haven’t been blocked. This is before taking into account the fact that many of the IP’s in question will be in use by unsuspecting victims with devices that have been compromised who you may normally want to be able to access your website or service. Sadly, there is one more final nail in the coffin of anyone who is the victim of a DDOS and that is actually your legitimate users, who will often just keep on trying to access your page by hitting F5 or retrying the site a few minutes later, just adding to the load. Due to these factors in many cases, the only option is to simply weather the storm and hope it doesn’t continue for too long, particularly for smaller companies or individual users who lack the budgetary requirements needed for high level mitigation services.

With all of this said, some websites are able to handle large traffic volumes more effectively than others by design which can help with situations like this, one method of achieving this is through clever use of something called DNS, or Domain Name System, which brings us nicely to the other part of just why an attack against a single company can bring a section of the internet to its knees.

screen-shot-2016-10-21-at-8-30-13-pm

Heat map, showing outages caused by yesterdays DoS attack. Source: Downdetector

Just who are Dyn and what do they actually do?

Dyn, as mentioned are likely to be an unknown company as far as many are concerned, however they provide a critical part of the ‘secret sauce’ that makes the internet work. As mentioned internet connections have what is known as an IP (Internet Protocol) address associated with them, they can either be associated to a single device in the case of a web server, or alternatively an internet connection, such as the one you are using to read this. IP addresses are unique identifiers used to determine which computer on the internet is which, unfortunately IP addresses arent really conducive to being memorable, being made up of a set of four numbers, for example TechAltars IP is 50.62.194.30; fortunately this is where DNS comes in. In essence DNS converts the friendly names we use to access websites, such as google.com, techaltar.com facebook.com and so on into the more computer friendly IP addresses. DNS and IP are probably most analogous to the phone book on your smartphone, whereby instead of having to remember everyone’s number, you simply enter their name and hit dial and this is kind of why the attack on Friday had the impact it had, in order to fully understand why though, we do need to go into a bit more detail on how DNS actually works.

 

When you opened your web-browser to access the internet prior to coming to this article, the chances are at some point you entered a webaddress, be it for google, facebook or any other site you may have decided to visit. The process for how your computer takes that address and turns it into the IP address before serving up the content you were looking for is actually fairly involved, but yet takes mere milliseconds in most cases to actually carry out.

dyn_logo_black_text-svg

Before we go into detail as to how DNS works, let’s just take a quick side step and look at the components of a websites URL (Uniform Resource Locator) or web address. There are three key components: the sub domain, the second level domain and finally the top level domain. In the case of www.techaltar.com these are www for the sub domain, techalter for the second level domain and .com for the top level domain. When you type techaltar.com into a web browser, your browser will send a query over the internet to find the website for techaltar. This query may be handled by several different servers until it finally reaches the techaltar website.

Firstly is what is known as recursive resolver, this is usually owned and operated by your ISP, this server has a couple of jobs, the first is to store, or rather cache DNS entries it has been asked for previously, to bypass the next steps of the process if other customers try to visit the same site. Its other job is to know about what are known as Root Servers, which is what it will query in turn if this is the first time it has been asked to visit the site. Let’s assume that your ISP’s recursive server has no prior knowledge of Techaltar, as mentioned it will then send a query to a root server. Root servers are so named because they are the servers queried for the root of the address you are trying to visit, in this case .com. Root servers also store information for the second level domain part of the URL and which Domain Name Server hold information for it. Again, much like your ISPs recursive server all of this information can be cached for future use. Assuming it’s not will take us to the final part. Once the Root server has located the DNS server that is responsible for the URL of the site in question, the request is then finally sent to the server that has this information. In many cases this will most likely be owned by the company that hosts the website in question or alternatively rented from a DNS provider, such as Dyn. The DNS server will store the IP address of the site you want to visit, and pass this back through the above devices for future use, so that any other customers who wish to visit the same website will get the results direct from their recursive server at the ISP.

The last part of the puzzle comes in the form of something known as TTL (Time To Live) TTL is part of the DNS entry stored on the DNS server, it tells the root servers and recursive servers how long to retain the cached entry for the DNS address before discarding it and having to perform a look up when a user next requests the DNS entry. Of course this time can vary from a few seconds to a few days depending on how the owner of the domain name has configured it and due to the nature of how DNS entries are learned by the various servers on the network there is no real set start or end time, other than from when the entry was last cached, what this effectively means is that the impact of losing access to a DNS server can be wildly unpredictable due to the fact that some DNS entries may have a large enough time left on their TTL set to allow the entry to be retained, meaning no queries against the DNS server are needed, or unfortunately their TTL may be expiring right in the middle of an attack like happened on Friday, rendering the sites inaccessible to those who don’t know the IP of the server that the DNS entry resolves to.

As mentioned Dyn are quite a large provider of DNS services, with customers including Twitter, Google, Amazon and others, so when they get hit by a DDOS attack such as happened yesterday it stops the queries being made by your ISP’s recursive servers from completing successfully, which explains why there was a huge problem with accessing some portions of the internet due to a single seemingly unknown company being hit by a DDOS attack.