The DDOS attack on DYN & RRL ?

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Oct 31 14:25:08 UTC 2016


On 10/31/16 12:41, MURTARI, JOHN wrote:
> God only knows, the DDOS hackers are probably on this list....but I
> have to ask what protections DYN had in place before the attack
> occurred.  RRL has been promoted as some protection against these
> types of attacks.  If they had it in place, did it help or was the
> pure volume of traffic the real issue?

Having been burned by the DDoS I can tell you that 'RRL' functionality
was pretty much irrelevant in this case.  This was not using DNS servers
as traffic amplifiers (which is what RRL mitigates against).

This was using millions of insecure IoT devices -- frequently web cams
-- to generate a massive overkill-level traffic surge -- lots of DNS
lookups -- that simply overwhelmed Dyn's servers.  This despite the fact
that Dyn has a global anycast network with plenty of bandwidth, points
of presence all round the world and each POP contains a bunch of
top-of-the-line servers.

Surviving DDoS is all about having more capacity available than your
attackers can fill up[*].  These Mirai botnets have upped the ante by a
wide margin.  I suspect that the DDoS protection companies, the big DNS
service providers, the TLD and the root operators are quietly but
franticly working on plans to beef up their defenses...

	Cheers,

	Matthew

[*] Even by proxy: anti-DDoS companies essentially have network capacity
available for hire as well as some pretty fancy traffic filtering
techniques.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20161031/cd5dc793/attachment.bin>


More information about the bind-users mailing list