The Dyn Attack — One Year Later

by Ron Winward

One year ago, a threat actor launched a DDoS attack that disrupted service of some of the internet’s biggest names. The Mirai botnet had enslaved hundreds of thousands of IoT devices and was used to attack several entities, including the managed Domain Name System (DNS) provider Dyn.

The attack on Dyn was an event that many referred to as a wakeup call for internet security.

Except the industry, by and large, never really woke up.

Think of DNS servers as the contact list on your mobile phone. If you couldn’t access that list, how many phone numbers would you actually remember? By attacking the DNS infrastructure, internet users were no longer able to connect to many of the websites and services they use every day. The attack disrupted the connection made between domain names and the IP addresses that they belong to, essentially breaking a critical connection in how we access information and content on the internet.

The Dyn attack exposed a vulnerability that is not new, but few businesses had done anything to prevent. One year later, my new analysis demonstrates how a similar attack could occur.

One Year Later

One of the ways for website operators to protect themselves from this type of attack is to use more than one provider for DNS, providing a failover option for when a portion of the DNS system can’t do its job.

After the Dyn attack, you would expect that more companies would adopt the model of diverse DNS providers. One provider could be the primary, another could be secondary, and even more could be added for redundancy.

I was curious about how many companies had actually adopted this model. Using Alexa’s rankings of web traffic and page rankings, I pulled a list of the top 100 U.S. websites. I fed this list into a small script that I wrote to give me all of the authoritative name servers for each domain in the list. The query is effectively the following in Linux:

$ dig @[recursive DNS server] +short NS

From here I could analyze the data on domains and their respective authoritative name servers. What I found was that 68 of the top 100 U.S. websites (or more than two thirds by Alexa’s rankings) still use only one DNS provider for their domain. In fact, several of the major companies directly affected by the Dyn attack still only use one provider.

However, perhaps this isn’t as simple as it seems, so I wanted to dig in further.

Read more: