News Stay informed about the latest enterprise technology news and product updates.

DNS DDoS attack shuts down Library of Congress websites for three days

A DNS DDoS attack hit the Library of Congress, disrupting various Library services and websites for three days before IT staff was able to restore normal functionality.

The Library of Congress has fully recovered following a DNS DDoS attack lasting three days. The Library said the...

attack began on July 17, with Library websites experiencing difficulty before going offline on July 18.

Over the course of three days, Library services and websites were disrupted, including Congress.gov, the U.S. Copyright Office, the Braille and Audio Reading Download service from the National Library Service for the Blind and Physically Handicapped, Library databases, and both incoming and outgoing email.

According to Bernard A. Barton Jr., CIO of the Library of Congress, it "was a massive and sophisticated DNS [domain name system] assault, employing multiple forms of attack, adapting and changing on the fly."

"We've turned over key evidence to the appropriate authorities who will investigate and hopefully bring the instigators of this assault to justice," Barton wrote in a blog post. "We're satisfied that we've fended off the attack and fortified our system for now, but we'll continue to be vigilant and employ state-of-the-art security systems to effectively respond to these types of incidents in the future. This is not the first time that a large agency or organization has been targeted with this kind of denial of service, and it certainly won't be the last."

Peter Tran, general manager and senior director of RSA, the security division of EMC, said DNS-based attacks are serious threats.

"Taking down a domain name system on the web is like shutting down the air traffic control system in the air," Tran told SearchSecurity via email. "DNS is the heart and core of the World Wide Web and is used by attackers as a go-to tool to amplify at scale massive disruption in a DDoS [distributed denial-of-service] attack. DNS, by design and architecture, will redirect to backup servers to load balance requests and traffic conditions, but is also the perfect pathway for attackers to exploit by flooding the DNS, knowing the spillovers will create collisions and unrecoverable chaos across billions of web requests."

Scott Hilton, executive vice president of products at Dyn, the cloud-based internet performance management firm headquartered in Manchester, N.H., noted the dangers of a DNS DDoS attack are significant for enterprises and federal agencies alike.

"For a government agency, a website outage directly affects the ability of employees to provide critical services and for the tax-paying public to access critical services from the agency," Hilton told SearchSecurity via email. "In the case of the Library of Congress, this includes critical public policy research, government disclosure laws and regulations, and the enjoyment of the general public of this important resource. In addition, DDoS attacks are often used to cover for more directed attacks at specific resources to get access to critical information."

As yet, there is no evidence the attack on the Library of Congress was used to disguise a more directed attack.

According to Chris Pogue, CISO at Nuix, based in Herndon, Va., DDoS attacks have been around for close to 20 years, but the best defenses to emerge so far require the use of purpose-built hardware.

"The reason for this is that legitimate traffic is practically indistinguishable from the malicious traffic, making the pattern-matching used in most threat identification technologies extremely difficult," Pogue told SearchSecurity. "The attackers throw either packets in such great quantity or intentionally malformed packets at the target that the available computing resources are completely overwhelmed, thereby causing the resource exhaustion. Recovery from such an attack would require it to cease by the attackers relenting, by the target no longer being present or by a DDoS filtering appliance being deployed."

Hilton noted while this appeared to be "a concerted, sophisticated and sustained attack that would challenge any enterprise," he thinks the Library should have been able to recover faster than three days.

Waiting until attacks become an issue before an organization plans a response strategy is what is technically referred to as a really bad idea.
Chris PogueCISO for Nuix

"The Library of Congress' employees, customers and constituents should expect that these services should be resilient and able to tolerate no or limited downtime," Hilton said. "I don't think that a financial service company, e-commerce company or a web-based content company could tolerate that long an outage."

"A 72-hour total disruption would fall under more extreme conditions," Tran said.

"Restoring IT services faster as a result of a DDoS attack is dependent on effective planning, preparation, and continuous monitoring and testing for varying extremes to redirect to redundant systems," Tran said. "If the design, architecture, planning and testing [are] off or nonexistent and your networks start 'taking on water,' there are only so many sandbags that can be stacked before damage is done, and cleanup and rebuilding is the only option."

Experts recommended a number of services that could have helped the Library prevent or recover from the DNS DDoS attack faster, including cloud-based DDoS protection services, purpose-built hardware and adding a secondary DNS provider to back up the in-house DNS servers used by the Library.

Pogue suggested enterprises should find services before a problem arises.

"Any organization fearing this sort of attack -- which should pretty much be all of them -- should look into prevention and response strategies now, before it becomes an issue," Pogue said. "Waiting until attacks become an issue before an organization plans a response strategy is what is technically referred to as a really bad idea."

Next Steps

Learn more about creating a cloud DDoS protection plan.

Find out about hybrid DDoS prevention techniques.

Get info on setting up a secondary DNS server.

Dig Deeper on DDoS attack detection and prevention

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What protections does your enterprise have against DNS DDoS attacks?
Cancel
This target, a huge well known target that believed they were mitigated is a perfect case study for what NimbusDDOS can do for any company.  We have an industry first pen-testing analog for the DDoS space.  We evaluate a company's IT infrastructure as an attacker would, discovering areas that the mitigation is not protecting like in this scenario.  We then enumerate these risk areas via threat matrix--rated for potential effect and effort to create the attack.

If you think you're mitigated but haven't had us investigate as an attacker, looking for the areas we would use to take you down if we were genuinely trying to do so, you might have a hole like this that will knock you off-line for 3 days or more...

Then follow that up with testing (in a controlled setting) so you KNOW whether you have danger areas or not.  A lot of cyber security is guessing until you test.  Bring knowledge to your company, don't rely on guesswork.
Cancel
Some may just be testing their security out. I have read articles stating the government uses the the same technology for a lot of their departments. If they can hack this low priority target their next step may be else where and exploit the same flaw.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close