Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

DynDNS is currently being DDoS’d – May affect your site

This entry was posted in General Security, WordPress Security on October 21, 2016 by Mark Maunder   19 Replies

[1:28pm Pacific / 4:28pm EST Update: According to Time Magazine Deputy Tech Editor Alex Fitzpatrick, there is now a third DDoS attack underway targeting Dyn – this from 7 minutes ago. According to Alex, Dyn have also confirmed that the Mirai Botnet is responsible “in part” for today’s DDoS attacks]

[Updated again 1:07pm with mainstream coverage including Time saying DHS is investigating. Also that WordCamp ticket sales were affected.]

[This post updated at 12:18pm Pacific time with a few additional ways in which WP publishers may be affected] 

 

DNS provider DynDNS, also known as Dyn.com is currently being attacked using a very aggressive DDoS attack. If you use them for your website DNS you probably have experienced outages today.

You can get status updates from DynDNS themselves here and also on Twitter.

This attack affects any website or online service that uses Dyn.com for DNS resolution. So far this attack has affected:

  • Paypal
  • Netflix
  • Wordcamp ticket sales were affected earlier today according to WP Slack #community-team channel.
  • Github
  • Twitter
  • Esty
  • Soundcloud
  • Spotify
  • Amazon
  • Heroku
  • Shopify
  • PagerDuty
  • ZenDesk
  • Braintree
  • Fastly
  • Cloudflare

And many other large well known brands.

This attack may affect your website shopping cart checkout if you use a service provider who has been affected by the attack. It may also affect other features or services you provide to customers that rely on being able to contact a site affected by the attack. [Updated at 12:18pm Pacific Time] These may include:

  • External assets like fonts, style-sheets, javascript (like jQuery), images or any external page component you load from an outside server. These may become inaccessible and stall the page load. The fix in this case is to move that asset onto your own server and reference it locally.
  • Social media integration. Twitter was not available earlier today and if it’s API becomes unavailable, it may affect certain pages loading and may affect user’s ability to share posts.
  • Backups. If your backups are stored off-server on an external domain, make sure that domain stays accessible or backups may not be copied over.
  • Checkout. Already mentioned, but if your payment processor goes offline, it will stall all transactions on your site and may even make certain pages inaccessible. Paypal has been affected by this but appears to be back.

If you are affected by this attack, you should consider setting up another DNS provider as your secondary DNS or temporarily moving all DNS to another provider. This appears to be what Amazon has done to mitigate the attack. You will need to exactly duplicate your DNS configuration on the new provider before making it the authoritative DNS for your domain and this may take some time. The transfer may take up to 48 hours, by which time this may all be over.

The attack appears to be an attack on Dyn’s infrastructure according to their technical updates. They are working continuously to mitigate the attack. You can watch BGP routes change as Dyn tries to mitigate the attack.

Last Friday the source code for the Mirai malware that infects a very large (greater than 1 million) Internet of Things botnet was released to the general public. According to Brian Krebs this “virtually guarantees that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices”. This large scale attack today may be related to the Mirai source code release.

DownDetector is showing many major brands are having trouble today. Click on a logo for connectivity details.

Updates: 

Bloomberg has a theory that this may be a retaliatory attack against DynDNS.

Threatpost is reporting that the number of Mirai botnet infected devices have doubled since the source code release a week ago.

Gizmodo is reporting this as the beginning of a bleak future.

And one of my favorite reads this week related to this story, Bruce Schneier with a theory that attacks like this are a nation state probing to assess defensive capability.

This has now hit mainstream news in USA Today and many other publications, and Time Magazine is reporting that Department of Homeland Security is investigating.

Did you enjoy this post? Share it!


4.00 (1 vote) Your rating:

19 Comments on "DynDNS is currently being DDoS’d – May affect your site"

Gregory October 21, 2016 at 11:36 am • Reply

Correction: It is Brian Krebs not Brian Krebbs.

mark October 21, 2016 at 11:46 am • Reply

Thanks, corrected. I actually do know that, by my fingers got a bit ahead of themselves on the 'b' key. Krebs does awesome work and he of course was hit by a monster DDoS related to IoT recently. His recent post that goes deep on attributing DDoS attacks to people who may also have an interest in DDoS mitigation is excellent work.

Peter Berglund October 26, 2016 at 2:48 am • Reply

Correction: It is DOS not DDOS. It stands for "Disk Operating System".

Nah, just kidding ;)

Frank Okun October 21, 2016 at 11:45 am • Reply

Thanks for the email and blog post....I've been spending most of my morning today resetting my router and modem, thinking that's why I haven't been able to access PayPal and some of the other sites mentioned. In doing a "Diagnose Your Network" I was promted to check my DNS settings.

mark October 21, 2016 at 11:49 am • Reply

You're definitely not alone. The attack is ongoing. Update from a few minutes ago from Dyn: "Dyn Managed DNS advanced service monitoring is currently experiencing issues. Customers may notice incorrect probe alerts on their advanced DNS services. Our engineers continue to monitor and investigate the issue."

Brad October 21, 2016 at 5:11 pm • Reply

Mark, the other day you were comparing the front end protective nature of WordFence, vs.. the backend protective nature of CloudFlare's WAF firewall. That was a great blog article.

What I don't understand.... as big as Cloudflare is and as much as they brag about their protecting you from a DDOS attack... why didn't they have a secondary DNS system set up (or at least a fast transfer process if they did). I l hear Cloudflare is one of the big companies that took a hit when DYN went down. I lost email for about 4 hours because my secondary hosting company uses DYN. My primary domain host aparently doesn't use them or at least has an efficient dns backup if they do and didn't lose any site time. Hopefully this is a big wake up call for all these companies what we're facing in the near future.
I read a great article by Bruce Schneier, after I read your blog.

Spencer Labadie October 21, 2016 at 11:56 am • Reply

Yeah, first thing I wake up to is a customer having problems checking out on our site slickremix.com, and of course we use paypal pro for credit cards and paypal standard. Thanks for the uptime updates link. Why the twitter link no work though lol jk.

Martin Houston October 21, 2016 at 12:14 pm • Reply

I had assumed DynDNS and services like it was just for people who wanted a DNS entry for a non static IP like you get from an ISP, so you can get to your home PC when you are out & about for example.

I suppose the popularity and importance has grown with the trend for basing sites on rented computer power "In The Cloud" and even the very big boys are doing this a lot.

No shame in only having a transient IP address then :) - will make all that IP address based spying/monitoring a bit pointless though. (GOOD).

In fact NOT being associated with specific IP addresses is really essential for both horizontal scaling and (ironically) resistance to DDOS.

Luis October 21, 2016 at 12:42 pm • Reply

Is Shopify being affected? I can't login n browser says something about dns. But I can still access other sites like YouTube.

Luke Cavanagh October 21, 2016 at 12:48 pm • Reply

https://www.dynstatus.com/incidents/nlr4yrr162t8

John Teague October 21, 2016 at 1:24 pm • Reply

We use a fail safe system to roll immediately over to a secondary DNS. So far no clients have been impacted. Appears fastly is under attack, which is causing huge interruptions in supporting cdn.

sri October 21, 2016 at 6:15 pm • Reply

Thanks for the email and blog post..

AllanIt October 21, 2016 at 7:38 pm • Reply

This may be a bit of a naive question but

Why isn't there a way to report the offending IP addresses to their ISP and the ISP turn off the IP address. Then the person who is assigned the IP address can contact their ISP to solve the problem and if they have been hacked they have to fix the probleb before they have their IP turned back on.

Sean October 22, 2016 at 1:19 am • Reply

I didn't notice anything in Belgium, even with Paypal. I was also working on my website which is hosted in South Africa, of all places. (Yes, there is internet in Africa ;-) This seems to be largely a USA based attack?

Rodger October 22, 2016 at 4:55 pm • Reply

yep, I agree with you Sean. Everything is fine down here in Lusaka, Zambia, Africa.
My Paypal is fine, my Craft online store is fine (https://rmi.one/cza), my PayGate is fine all, all my sites are fine.. This is truly a USA based attack..
Hope this gets resolved, and all the affected get back on track soon..

Thomas October 22, 2016 at 12:07 pm • Reply

Hello Sean, Sorry to say that in Belgium (Overijse) early in the morning (between 7:00 /7:30) in TWO different oil or gas stations, people were unable to process payment with online banking ( I don’t cote the names) nothing was online, for everything (from cheese to banana) people can only pay with cash early in the morning ... Once again everything was down. This was not reported by the concerned payment companies...
I work in the computer domain (Network admin)
It was not only a US based attack.
Sorry for my bad English

Thomas

Yvonne Finn October 22, 2016 at 1:23 pm • Reply

Thanks for always alerting and keeping us in the loop, and more importantly, giving us
actionable steps we can take to protect and mitigate against these cretins and their desire
to interrupt our personal and professional life.
I used some of those businesses such as PayPal and found nothing out of the ordinary.
Yvonne Finn

Activist25 October 23, 2016 at 2:34 pm • Reply

This is terrorism pure and simple. What is our government doing about it? Probably nothing of any importance other than to mumble about nation states.

I read some weird driveby media article trying to explain how these DDOS attacks can make money. Idiots. It's not about money, it's about power, it's about the ability to reign ruin.

Ava October 23, 2016 at 2:42 pm • Reply

Its great that wordfence made an attempt to inform its users. Appreciate it. Thanks

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.