IoT devices Used in DDoS Attacks
-
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
Well I was going to send this article to my Doctors to explain to them what happened on Friday, but then they went and tossed that last line in there.
https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/
@scottalanmiller please oh please tell me how that last paragraph applies to this problem?
Because this isn't a DDoS attack against anything but a DNS provider. If you use a different DNS host, I think they are referring to Comodo in the last section there. Then they bypass the issues to an extent. I don't think they are hitting the root DNS servers/farms either just Dyn in this case.
It's an argument for companies to use a redundant/distributed DNS system.
Sure, but how many people were using Dyn for their local DNS resolution? I suppose some might, I know I don't. If I'm not using my local ISPs DNS, I'm using Google's.
In either case, my changing my DNS wouldn't solve the outage my company experienced for our EHR system because our EHR used Dyn as their DNS solution to the world. In my case the solution would be for my EHR vendor to use another DNS provider (and while they didn't dump Dyn, they did diversify and how have DNS with at least three DNS providers when I looked this morning).
How would your EHR's DNS provider cause impact to you as an end user? I'm not saying that it can't, just that there is no obvious connection there. Your SaaS provider doesn't need DNS to provide services to you, you need it to request services from them (and even then, just sometimes, our customers don't need that.) In an established SaaS situation, what is DNS needed for at all?
Not the one they use internally, the one where they publish their records to the world. i.e. DynDNS.
Ah, the cacheing failed from there? But they could move to another provider in, like, five minutes. Faster than the TTL on the records. That's not a viable DDoS vector as you just move.
Can you not use static IPs for their service?
Sounds like that's what they did on Friday from what @Dashrender has mentioned.
-
@Dashrender said in IoT devices Used in DDoS Attacks:
@dafyre said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
Well I was going to send this article to my Doctors to explain to them what happened on Friday, but then they went and tossed that last line in there.
https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/
@scottalanmiller please oh please tell me how that last paragraph applies to this problem?
Because this isn't a DDoS attack against anything but a DNS provider. If you use a different DNS host, I think they are referring to Comodo in the last section there. Then they bypass the issues to an extent. I don't think they are hitting the root DNS servers/farms either just Dyn in this case.
It's an argument for companies to use a redundant/distributed DNS system.
Sure, but how many people were using Dyn for their local DNS resolution? I suppose some might, I know I don't. If I'm not using my local ISPs DNS, I'm using Google's.
In either case, my changing my DNS wouldn't solve the outage my company experienced for our EHR system because our EHR used Dyn as their DNS solution to the world. In my case the solution would be for my EHR vendor to use another DNS provider (and while they didn't dump Dyn, they did diversify and how have DNS with at least three DNS providers when I looked this morning).
How would your EHR's DNS provider cause impact to you as an end user? I'm not saying that it can't, just that there is no obvious connection there. Your SaaS provider doesn't need DNS to provide services to you, you need it to request services from them (and even then, just sometimes, our customers don't need that.) In an established SaaS situation, what is DNS needed for at all?
If the EHR servers are hosted by Dyn... and we try to do a DNS lookup against Dyn servers while they're being DDOSd... It's not going to reply... or will be painfully slow
Well, the EHR servers themselves aren't hosted by Dyn (or at least I don't think so), but the DNS to those servers previously exclusively ran through DynDNS.... and as @coliver said, once the TTL expired, so did all the sessions.
Some people who had this problem simply hosted the EHRs domain on their own internal DNS pointing to the known IP address and it solved their problem (luckily). There could have been the need for several unknown host names which would have made that not work.
Cacheing will fix that too, if you have enough warning to cache. Or just use the hosts file.
-
@scottalanmiller said in IoT devices Used in DDoS Attacks:
That's not a viable DDoS vector as you just move.
I don't understand how this was such a big outage. DNS is designed to be resilient because of its simplicity. Why companies are still only using a single DNS provider is beyond me.
-
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
Well I was going to send this article to my Doctors to explain to them what happened on Friday, but then they went and tossed that last line in there.
https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/
@scottalanmiller please oh please tell me how that last paragraph applies to this problem?
Because this isn't a DDoS attack against anything but a DNS provider. If you use a different DNS host, I think they are referring to Comodo in the last section there. Then they bypass the issues to an extent. I don't think they are hitting the root DNS servers/farms either just Dyn in this case.
It's an argument for companies to use a redundant/distributed DNS system.
Sure, but how many people were using Dyn for their local DNS resolution? I suppose some might, I know I don't. If I'm not using my local ISPs DNS, I'm using Google's.
In either case, my changing my DNS wouldn't solve the outage my company experienced for our EHR system because our EHR used Dyn as their DNS solution to the world. In my case the solution would be for my EHR vendor to use another DNS provider (and while they didn't dump Dyn, they did diversify and how have DNS with at least three DNS providers when I looked this morning).
How would your EHR's DNS provider cause impact to you as an end user? I'm not saying that it can't, just that there is no obvious connection there. Your SaaS provider doesn't need DNS to provide services to you, you need it to request services from them (and even then, just sometimes, our customers don't need that.) In an established SaaS situation, what is DNS needed for at all?
Not the one they use internally, the one where they publish their records to the world. i.e. DynDNS.
Ah, the cacheing failed from there? But they could move to another provider in, like, five minutes. Faster than the TTL on the records. That's not a viable DDoS vector as you just move.
Can you not use static IPs for their service?
No clue. We only experienced 5 mins of outage over 2-4 PCs out of 90+, so we didn't dig into fixes. The vendor didn't know what the problem was, or at least didn't tell anyone for hours. a customer of theirs writing on an internal forum (luckily hosted elsewhere) dig into it more and found what the real issue was.
-
@scottalanmiller said in IoT devices Used in DDoS Attacks:
Ah, the cacheing failed from there? But they could move to another provider in, like, five minutes. Faster than the TTL on the records. That's not a viable DDoS vector as you just move.
Not if they buy their domain name from Dyn also.
-
@Dashrender said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
Ah, the cacheing failed from there? But they could move to another provider in, like, five minutes. Faster than the TTL on the records. That's not a viable DDoS vector as you just move.
Not if they buy their domain name from Dyn also.
Well, that would violate one of the first business rules of IT. I mean... that alone would be a reason not to use the EHR in my mind. I would never consider the possibility that they were that incompetent at a business protection level. But even if they were that foolish, there is zero lock in from doing that. That's not a real thing.
-
Well OpenDNS specificly caches DNSs longer than most so it likely would fix all issues as even if Dyn's servers were down longer than the entries TTL OpenDNS would still use it.
-
@Dashrender said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
Ah, the cacheing failed from there? But they could move to another provider in, like, five minutes. Faster than the TTL on the records. That's not a viable DDoS vector as you just move.
Not if they buy their domain name from Dyn also.
You can purchase domain names from whomever it doesn't stop you from doing DNS from a different vendor or internally.
-
@coliver said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
That's not a viable DDoS vector as you just move.
I don't understand how this was such a big outage. DNS is designed to be resilient because of its simplicity. Why companies are still only using a single DNS provider is beyond me.
I only use a single DNS provider. I use Cloudflare. I did buy my domain name from someone else though.. so moving it like scott said would be typically pretty fast if Cloudflare was under attack.
-
@coliver said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
Ah, the cacheing failed from there? But they could move to another provider in, like, five minutes. Faster than the TTL on the records. That's not a viable DDoS vector as you just move.
Not if they buy their domain name from Dyn also.
You can purchase domain names from whomever it doesn't stop you from doing DNS from a different vendor or internally.
And it is insanely recommended that you never buy the domain from one and get DNS from the same one. Those two should never overlap. That's how you lose control of your systems.
-
@Dashrender said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
That's not a viable DDoS vector as you just move.
I don't understand how this was such a big outage. DNS is designed to be resilient because of its simplicity. Why companies are still only using a single DNS provider is beyond me.
I only use a single DNS provider. I use Cloudflare. I did buy my domain name from someone else though.. so moving it like scott said would be typically pretty fast if Cloudflare was under attack.
No different than your EHR moving from Dyn to CloudFlare. Would take like five minutes, literally.
-
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
That's not a viable DDoS vector as you just move.
I don't understand how this was such a big outage. DNS is designed to be resilient because of its simplicity. Why companies are still only using a single DNS provider is beyond me.
I only use a single DNS provider. I use Cloudflare. I did buy my domain name from someone else though.. so moving it like scott said would be typically pretty fast if Cloudflare was under attack.
No different than your EHR moving from Dyn to CloudFlare. Would take like five minutes, literally.
But then it takes hours for those changes to propogate worldwide, doesn't it? Generally I've seen minutes, but it's usually half an hour at best, and I've seen it take as long as 48 hours at worst.
-
@Dashrender said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
That's not a viable DDoS vector as you just move.
I don't understand how this was such a big outage. DNS is designed to be resilient because of its simplicity. Why companies are still only using a single DNS provider is beyond me.
I only use a single DNS provider. I use Cloudflare. I did buy my domain name from someone else though.. so moving it like scott said would be typically pretty fast if Cloudflare was under attack.
IIRC, and I probably don't, but doesn't Cloudflare do distributed DNS on their own? So a DDoS attack against their DNS infrastructure would be ineffective.
-
@dafyre said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
That's not a viable DDoS vector as you just move.
I don't understand how this was such a big outage. DNS is designed to be resilient because of its simplicity. Why companies are still only using a single DNS provider is beyond me.
I only use a single DNS provider. I use Cloudflare. I did buy my domain name from someone else though.. so moving it like scott said would be typically pretty fast if Cloudflare was under attack.
No different than your EHR moving from Dyn to CloudFlare. Would take like five minutes, literally.
But then it takes hours for those changes to propogate worldwide, doesn't it? Generally I've seen minutes, but it's usually half an hour at best, and I've seen it take as long as 48 hours at worst.
Depends on the TTL.
-
@dafyre said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
That's not a viable DDoS vector as you just move.
I don't understand how this was such a big outage. DNS is designed to be resilient because of its simplicity. Why companies are still only using a single DNS provider is beyond me.
I only use a single DNS provider. I use Cloudflare. I did buy my domain name from someone else though.. so moving it like scott said would be typically pretty fast if Cloudflare was under attack.
No different than your EHR moving from Dyn to CloudFlare. Would take like five minutes, literally.
But then it takes hours for those changes to propogate worldwide, doesn't it? Generally I've seen minutes, but it's usually half an hour at best, and I've seen it take as long as 48 hours at worst.
Just a few minutes, generally. At least for most of the world. So you'd solve the 90% within ten minutes, 99% within the hour.
-
@coliver said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
Ah, the cacheing failed from there? But they could move to another provider in, like, five minutes. Faster than the TTL on the records. That's not a viable DDoS vector as you just move.
Not if they buy their domain name from Dyn also.
You can purchase domain names from whomever it doesn't stop you from doing DNS from a different vendor or internally.
I understand that, but IF they did, and Dyn was inaccessible, then the EHR provider would not be able to change it until either the attack was mitigated/over or the EHR vendor got someone one the phone at Dyn - but I'm not sure that would even matter... wouldn't the root hints still have to talk to Dyn to get the SOA for the EHR vendor? or is the SOA stored in the root hints, I'm fuzzy on that part.
-
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
Ah, the cacheing failed from there? But they could move to another provider in, like, five minutes. Faster than the TTL on the records. That's not a viable DDoS vector as you just move.
Not if they buy their domain name from Dyn also.
You can purchase domain names from whomever it doesn't stop you from doing DNS from a different vendor or internally.
And it is insanely recommended that you never buy the domain from one and get DNS from the same one. Those two should never overlap. That's how you lose control of your systems.
Personally, I had never heard that until I saw your postings on SW. So while I understand this to be true now, I'm not sure where new IT persons would learn about it short of reading a post somewhere online. I suppose it could have been taught at ITT
-
@dafyre said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
That's not a viable DDoS vector as you just move.
I don't understand how this was such a big outage. DNS is designed to be resilient because of its simplicity. Why companies are still only using a single DNS provider is beyond me.
I only use a single DNS provider. I use Cloudflare. I did buy my domain name from someone else though.. so moving it like scott said would be typically pretty fast if Cloudflare was under attack.
No different than your EHR moving from Dyn to CloudFlare. Would take like five minutes, literally.
But then it takes hours for those changes to propogate worldwide, doesn't it? Generally I've seen minutes, but it's usually half an hour at best, and I've seen it take as long as 48 hours at worst.
Yeah, if you know of a move ahead of time, you can change the TTL to say, 15 minutes, and really speed that up. Doesn't help with something hitting you out of the blue tho.
-
@Dashrender said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
Ah, the cacheing failed from there? But they could move to another provider in, like, five minutes. Faster than the TTL on the records. That's not a viable DDoS vector as you just move.
Not if they buy their domain name from Dyn also.
You can purchase domain names from whomever it doesn't stop you from doing DNS from a different vendor or internally.
And it is insanely recommended that you never buy the domain from one and get DNS from the same one. Those two should never overlap. That's how you lose control of your systems.
Personally, I had never heard that until I saw your postings on SW. So while I understand this to be true now, I'm not sure where new IT persons would learn about it short of reading a post somewhere online. I suppose it could have been taught at ITT
I hear University of Pheonix has you covered
-
@coliver said in IoT devices Used in DDoS Attacks:
@Dashrender said in IoT devices Used in DDoS Attacks:
@coliver said in IoT devices Used in DDoS Attacks:
@scottalanmiller said in IoT devices Used in DDoS Attacks:
That's not a viable DDoS vector as you just move.
I don't understand how this was such a big outage. DNS is designed to be resilient because of its simplicity. Why companies are still only using a single DNS provider is beyond me.
I only use a single DNS provider. I use Cloudflare. I did buy my domain name from someone else though.. so moving it like scott said would be typically pretty fast if Cloudflare was under attack.
IIRC, and I probably don't, but doesn't Cloudflare do distributed DNS on their own? So a DDoS attack against their DNS infrastructure would be ineffective.
I don't follow. The SOA still has to be on the listed IPs. If all of the listed IPs are being attacked at once, you can't get away from it.
In the case of Dyn, I would assume either A) all of the IPs are behind a singular pipe (horrible design) or there was only one.