Dyn hit by massive DNS DDoS, Eastern U.S. bears brunt of attacks

In the latest high-profile DDoS incident, DNS provider Dyn, Inc., reported an ongoing attack that is impacting operations on the U.S. east coast, with many popular sites reported to be affected including Twitter, Reddit, Spotify, Github and the New York Times.

The DNS DDoS attack started early on Friday morning, though Dyn reported that normal services had been restored by 13:20 UTC (9:20 am EDT), with another DDoS attack detected approximately two and a half hours after that.

Dyn's initial incident report read: "Starting at 11:10 UTC on October 21st-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available." An hour after the second attack was detected, Dyn updated its incident report to state "This DDoS attack is may also be impacting Dyn Managed DNS advanced services with possible delays in monitoring."

Reaction to the initial attack was swift, although an hour after the second attack started Dyn reported it was responding to "several" simultaneous attacks.

Further conversation about the attack continued on Twitter, though in the hours following the start of the second wave some of the conversation was hampered by the ongoing attack.

"What causes me to pause and reflect most in regards to this breaking news is that Dyn DNS is a DNS SaaS provider. Its core job is to host and manage DNS services for its clients," Paul Calatayud, CTO of FireMon told SearchSecurity by email. "The impact and harm has a ripple effect attributed to the various clients Dyn services. As attackers evaluate their targets, and organizations run to the proverbial cloud for various reasons, it introduces interesting targets for the bad guys."

It's unclear who or what is behind the DNS DDoS attack on Dyn, though the incident follows similar attacks recently that leveraged compromised IoT devices. Jason Dixon, vice president for product strategy at New York City based open source monitoring company Raintank, blamed IoT botnets for the outage:

Hope you all enjoyed peak Internet while it lasted. The rise of IoT botnets mean we’re going to see a lot more attacks like these.

— Jason Dixon (@obfuscurity) October 21, 2016

Last month Bruce Schneier wrote about unknown threat actors who have been "probing the defenses of the companies that run critical pieces of the Internet," published on the Lawfare blog, which in turn suggested that this morning's attack may be linked:

Amidst the reported DDOS attack on DNS servers, take a look at Bruce Schneier's piece on "taking down the internet": https://t.co/oLcVTVbNZ3

— Lawfare (@lawfareblog) October 21, 2016

Software engineer and tech blogger Ben Dickson also blamed IoT botnets, tweeting:

I'd warned about the imminent threat of #IoT botnets staging DDoS attacks months ago https://t.co/BaVYCSMoPU #cybersecurity

— Ben Dickson (@bendee983) October 21, 2016

And Jeremiah Grossman, chief of security strategy at SentinelOne, suggested that the emergence of the Mirai botnet was a preview of things to come:

While reviewing reports of a DDoS attack on @Dyn, it occurs to me the Mirai [IoT] botnet could easily be just a canary in the coal mine.

— Jeremiah Grossman (@jeremiahg) October 21, 2016