The Library of Congress has fully recovered following a DNS DDoS attack lasting three days. The Library said the...
attack began on July 17, with Library websites experiencing difficulty before going offline on July 18.
Over the course of three days, Library services and websites were disrupted, including Congress.gov, the U.S. Copyright Office, the Braille and Audio Reading Download service from the National Library Service for the Blind and Physically Handicapped, Library databases, and both incoming and outgoing email.
According to Bernard A. Barton Jr., CIO of the Library of Congress, it "was a massive and sophisticated DNS [domain name system] assault, employing multiple forms of attack, adapting and changing on the fly."
"We've turned over key evidence to the appropriate authorities who will investigate and hopefully bring the instigators of this assault to justice," Barton wrote in a blog post. "We're satisfied that we've fended off the attack and fortified our system for now, but we'll continue to be vigilant and employ state-of-the-art security systems to effectively respond to these types of incidents in the future. This is not the first time that a large agency or organization has been targeted with this kind of denial of service, and it certainly won't be the last."
Peter Tran, general manager and senior director of RSA, the security division of EMC, said DNS-based attacks are serious threats.
"Taking down a domain name system on the web is like shutting down the air traffic control system in the air," Tran told SearchSecurity via email. "DNS is the heart and core of the World Wide Web and is used by attackers as a go-to tool to amplify at scale massive disruption in a DDoS [distributed denial-of-service] attack. DNS, by design and architecture, will redirect to backup servers to load balance requests and traffic conditions, but is also the perfect pathway for attackers to exploit by flooding the DNS, knowing the spillovers will create collisions and unrecoverable chaos across billions of web requests."
Scott Hilton, executive vice president of products at Dyn, the cloud-based internet performance management firm headquartered in Manchester, N.H., noted the dangers of a DNS DDoS attack are significant for enterprises and federal agencies alike.
"For a government agency, a website outage directly affects the ability of employees to provide critical services and for the tax-paying public to access critical services from the agency," Hilton told SearchSecurity via email. "In the case of the Library of Congress, this includes critical public policy research, government disclosure laws and regulations, and the enjoyment of the general public of this important resource. In addition, DDoS attacks are often used to cover for more directed attacks at specific resources to get access to critical information."
As yet, there is no evidence the attack on the Library of Congress was used to disguise a more directed attack.
According to Chris Pogue, CISO at Nuix, based in Herndon, Va., DDoS attacks have been around for close to 20 years, but the best defenses to emerge so far require the use of purpose-built hardware.
"The reason for this is that legitimate traffic is practically indistinguishable from the malicious traffic, making the pattern-matching used in most threat identification technologies extremely difficult," Pogue told SearchSecurity. "The attackers throw either packets in such great quantity or intentionally malformed packets at the target that the available computing resources are completely overwhelmed, thereby causing the resource exhaustion. Recovery from such an attack would require it to cease by the attackers relenting, by the target no longer being present or by a DDoS filtering appliance being deployed."
Hilton noted while this appeared to be "a concerted, sophisticated and sustained attack that would challenge any enterprise," he thinks the Library should have been able to recover faster than three days.
Chris PogueCISO for Nuix
"The Library of Congress' employees, customers and constituents should expect that these services should be resilient and able to tolerate no or limited downtime," Hilton said. "I don't think that a financial service company, e-commerce company or a web-based content company could tolerate that long an outage."
"A 72-hour total disruption would fall under more extreme conditions," Tran said.
"Restoring IT services faster as a result of a DDoS attack is dependent on effective planning, preparation, and continuous monitoring and testing for varying extremes to redirect to redundant systems," Tran said. "If the design, architecture, planning and testing [are] off or nonexistent and your networks start 'taking on water,' there are only so many sandbags that can be stacked before damage is done, and cleanup and rebuilding is the only option."
Experts recommended a number of services that could have helped the Library prevent or recover from the DNS DDoS attack faster, including cloud-based DDoS protection services, purpose-built hardware and adding a secondary DNS provider to back up the in-house DNS servers used by the Library.
Pogue suggested enterprises should find services before a problem arises.
"Any organization fearing this sort of attack -- which should pretty much be all of them -- should look into prevention and response strategies now, before it becomes an issue," Pogue said. "Waiting until attacks become an issue before an organization plans a response strategy is what is technically referred to as a really bad idea."
Learn more about creating a cloud DDoS protection plan.
Find out about hybrid DDoS prevention techniques.
Get info on setting up a secondary DNS server.