Author Topic: 10-21 Twitter under DDOS  (Read 289 times)

nkawtg

  • Guest
10-21 Twitter under DDOS
« on: October 21, 2016, 10:43:46 AM »
A distributed denial-of-service (DDoS) attack is underway against Dyn. This company services Twitter and Reddit among others.

Offline xxdabroxx

  • Survivalist Mentor
  • *****
  • Posts: 598
  • Karma: 28
  • Dave's not here.
Re: 10-21 Twitter under DDOS
« Reply #1 on: October 21, 2016, 10:50:43 AM »
At least it isn't the playstation network this time, every time I do that I can't watch any of my internet video services.  (I don't have cable/ sat.)  These attacks are really annoying though, I always figure it is some group of nerds with nothing better to do. 

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17126
  • Karma: 382
  • #ImissAmerica
    • Journey to Greener Pastures

Offline DWSDVSE

  • Survivor
  • ***
  • Posts: 180
  • Karma: 7
  • V R S N S M V
Re: 10-21 Twitter under DDOS
« Reply #3 on: October 21, 2016, 12:05:21 PM »
Round two seems to be ongoing now too...woohoo

Offline Smurf Hunter

  • Survival Veteran
  • ********
  • Posts: 7172
  • Karma: 334
Re: 10-21 Twitter under DDOS
« Reply #4 on: October 21, 2016, 12:05:49 PM »
This has increased way in scope.  Corporate datacenters are offline all over.  We've got partners and suppliers that have lost connectivity.
So far our AWS availability zones are online, but others are not.

This is already in the hundreds of millions in loses.

nkawtg

  • Guest
Re: 10-21 Twitter under DDOS
« Reply #5 on: October 21, 2016, 12:08:55 PM »
It's a bad day for all those Twitter addicts...


nkawtg

  • Guest
Re: 10-21 Twitter under DDOS
« Reply #6 on: October 21, 2016, 12:09:38 PM »
This has increased way in scope.  Corporate datacenters are offline all over.  We've got partners and suppliers that have lost connectivity.
So far our AWS availability zones are online, but others are not.

This is already in the hundreds of millions in loses.
Yup, Carbonite is down too

Offline TheRetiredRancher

  • Survivalist Mentor
  • *****
  • Posts: 568
  • Karma: 25
  • New TSP Forum member
Re: 10-21 Twitter under DDOS
« Reply #7 on: October 21, 2016, 12:13:31 PM »
I understand that Amazon and CNBC were also down ion the first round.  I have not heard who is affected in the 2nd round.

Offline Smurf Hunter

  • Survival Veteran
  • ********
  • Posts: 7172
  • Karma: 334
Re: 10-21 Twitter under DDOS
« Reply #8 on: October 21, 2016, 12:38:36 PM »
The A/B testing we use for our e-commerce stack is offline, as well as an insurance provider an one of our monitoring agents.

Offline Mr. Bill

  • Like a hot cocoa mojito
  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 15347
  • Karma: 1878
  • Trained Attack Sheepdog/Troll hunter
Re: 10-21 Twitter under DDOS
« Reply #9 on: October 21, 2016, 12:40:57 PM »
Trying to educate myself about DNS, but everything I'm finding is either way too simplistic or way too nerdy.

Practical question: Is there any way for the average user to insulate themselves from a DNS outage?  I know that operating systems and browsers maintain DNS caches, but I don't know how to control them.  What I'd like is for my computer to automatically fall back to the last cached address, even if it has expired, whenever DNS takes too long to respond.

nkawtg

  • Guest
Re: 10-21 Twitter under DDOS
« Reply #10 on: October 21, 2016, 12:47:32 PM »
You could try assigning your IP Configuration to a public DNS such as Google. 8.8.8.8 and 8.8.4.4
However you would still have issues with sites that are under attack.

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17126
  • Karma: 382
  • #ImissAmerica
    • Journey to Greener Pastures
Re: 10-21 Twitter under DDOS
« Reply #11 on: October 21, 2016, 12:56:26 PM »
Trying to educate myself about DNS, but everything I'm finding is either way too simplistic or way too nerdy.

Practical question: Is there any way for the average user to insulate themselves from a DNS outage?  I know that operating systems and browsers maintain DNS caches, but I don't know how to control them.  What I'd like is for my computer to automatically fall back to the last cached address, even if it has expired, whenever DNS takes too long to respond.

use a large DNS provider like nkawtg suggested. But if someone does a DDOS on those, you are sol.
Cache is very limited and not kept very long.
For more important sites, keep an up to date list of domain names -> ip addresses. Update this daily at least.

Offline Smurf Hunter

  • Survival Veteran
  • ********
  • Posts: 7172
  • Karma: 334
Re: 10-21 Twitter under DDOS
« Reply #12 on: October 21, 2016, 01:41:48 PM »
Trying to educate myself about DNS, but everything I'm finding is either way too simplistic or way too nerdy.

Practical question: Is there any way for the average user to insulate themselves from a DNS outage?  I know that operating systems and browsers maintain DNS caches, but I don't know how to control them.  What I'd like is for my computer to automatically fall back to the last cached address, even if it has expired, whenever DNS takes too long to respond.


This was more straight forward 10+ years ago.  Before virtual servers in "the cloud",  you'd have a public domain name that would map to a public IP address(es).  That was generally one-to-one.

However most modern, non-trivial website that use HTTPS (secure socket layer) won't function properly when an IP address is used to visit the site.
So from a TCP/IP perspective, writing down all the IPs will work, but a dynamic website using HTTPS encryption might give you fits.

If you really are into nuts and bolts, I think I could get around this, but that assumes during a DNS attack, that the hosting providers have left everything untouched and aren't redirecting, etc.

I'll illustrate using amazon.com.  This site uses SSL.


If you looked up amazon.com using "nslookup"

Quote
Non-authoritative answer:
Name:    amazon.com
Addresses:  54.239.25.192
          54.239.25.208
          54.239.25.200
          54.239.17.6
          54.239.26.128
          54.239.17.7

If we simply put in the first IP address, it will do all the networking stuff as normal, but the HTTPS layer will complain like this:


Now, you can certainly "add an exception" for every domain you use like that.  But it's kind of like driving around on a spare tire.  It'll get you there, but slow and not much fun.

Offline Smurf Hunter

  • Survival Veteran
  • ********
  • Posts: 7172
  • Karma: 334
Re: 10-21 Twitter under DDOS
« Reply #13 on: October 21, 2016, 01:46:13 PM »
And as archer and others pointed out, you should treat DNS resolution as a dynamic thing that changes often.  Most big sites have geographically separate assets, and there's all sorts of "intelligence" that decides which you get directed to.

So far we've been talking only about DNS.  If servers themselves are targeted, than standby servers might be substituted, in which case DNS may change.
If there's a combo-attack of DNS and network or web servers directly, you could have a cluster you can't work around.

nkawtg

  • Guest
Re: 10-21 Twitter under DDOS
« Reply #14 on: October 21, 2016, 03:43:09 PM »
Dyn says DDoS attacks are coming from millions of IP address at the same time.
This was a backbone attack aimed at the DNS service rather than the target such as Twitter.
One source appears to be Internet-connected devices otherwise known as "The Internet of Things" (e.g., printers, routers, video cameras, smart TVs, thermostats)

USCert.gov Alert (TA16-288A)
Heightened DDoS Threat Posed by Mirai and Other Botnets

https://www.us-cert.gov/ncas/alerts/TA16-288A

Offline FreeLancer

  • Global Moderator
  • Survival Veteran
  • ******
  • Posts: 6712
  • Karma: 820
Re: 10-21 Twitter under DDOS
« Reply #15 on: October 21, 2016, 04:41:05 PM »
It sounds like these attacks may be a further manifestation of anger at Brian Krebs' recent reporting on the risk of DDOS attacks via the botnets made up of millions of unsecured IoT devices.  Krebs has been working with Dyn on this problem and one of their security researchers gave a talk last night in Dallas about this very threat.

Krebs' website was knocked off line for the better part of a week last month by a massive IoT DDOS attack that forced Akamai to drop him as a DDOS-protection customer, a service they were providing him gratis after previous attacks but were unable to financially continue to provide given the massive scale of the attack.  He finally made it back on line under Google's Project Shield, a free service designed to thwart internet journalism censorship via DDOS attacks.  The cost of this level of DDOS protection runs around $200,000 per year, way beyond what an independent journalist can afford.

Krebs is a brave man to keep doing what he does.  There's a bunch of bad people who want him gone.


https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/


While I was typing that, he's published an additional second article on today's attacks:  https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
« Last Edit: October 21, 2016, 04:48:01 PM by FreeLancer »

nkawtg

  • Guest
Re: 10-21 Twitter under DDOS
« Reply #16 on: October 21, 2016, 09:16:38 PM »
DPRK ruled out as culprit behind today's DDoS attacks, says NBCNews quoting sources.
Today's botnet attacks recruited devices made by China's XiongMai Technologies, says FlashpointIntel.

https://www.flashpoint-intel.com/mirai-botnet-linked-dyn-dns-ddos-attacks/
https://krebsonsecurity.com/

Offline Mr. Bill

  • Like a hot cocoa mojito
  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 15347
  • Karma: 1878
  • Trained Attack Sheepdog/Troll hunter
Re: 10-21 Twitter under DDOS
« Reply #17 on: October 21, 2016, 09:27:06 PM »
Cache is very limited and not kept very long.

This might be an interesting project for those of us running Linux on a PC:

Localhost DNS Cache
Quote
...What I really wanted was just a local DNS server that honored TTL but would forward all requests to my real name servers. That way, I would get the speed and load benefits of a local cache, while also being able to troubleshoot any errors with standard DNS tools.

The solution I found was dnsmasq. ...

...with this in place, the environment is even more tolerant in the case there ever were a real problem with downstream DNS servers—existing cached entries still would resolve for the host until TTL expired. ...

Not a fix if DNS is dead, but it might maybe keep you online during short interruptions.

For more important sites, keep an up to date list of domain names -> ip addresses. Update this daily at least.

I was hoping to find a script to do this for me, but I might have to write my own.

nkawtg

  • Guest
Re: 10-21 Twitter under DDOS
« Reply #18 on: October 21, 2016, 09:29:49 PM »
Good advice.

Offline FrugalFannie

  • Dedicated Contributor
  • ******
  • Posts: 1247
  • Karma: 64
Re: 10-21 Twitter under DDOS
« Reply #19 on: October 22, 2016, 08:08:13 AM »
Call me a tinfoil hat wearing nutjob but I wouldn't be surprised if this is our own government doing this.

Offline Roknrandy

  • He That Rocks:Viewer Discretion is Advised
  • Moderator On Leave
  • Survival Demonstrator
  • *
  • Posts: 2708
  • Karma: 68
  • Master Spammer Obliterator
Re: 10-21 Twitter under DDOS
« Reply #20 on: October 22, 2016, 08:29:28 AM »
Call me a tinfoil hat wearing nutjob but I wouldn't be surprised if this is our own government doing this.
More likely from somewhere in the Russian Federation, and dont forget about our Friends from China.

Offline mountainmoma

  • Survival Demonstrator
  • *******
  • Posts: 4728
  • Karma: 223
  • suburban homesteader
Re: 10-21 Twitter under DDOS
« Reply #21 on: October 22, 2016, 11:56:00 AM »
This might be an interesting project for those of us running Linux on a PC:

Localhost DNS Cache
Not a fix if DNS is dead, but it might maybe keep you online during short interruptions.

I was hoping to find a script to do this for me, but I might have to write my own.

maybe someone can post a way to get to this site doing that ? direct address, then at least can discuss here how widespread or share news of what is happening

Offline Mr. Bill

  • Like a hot cocoa mojito
  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 15347
  • Karma: 1878
  • Trained Attack Sheepdog/Troll hunter
Re: 10-21 Twitter under DDOS
« Reply #22 on: October 22, 2016, 06:45:15 PM »
maybe someone can post a way to get to this site doing that ? direct address, then at least can discuss here how widespread or share news of what is happening

Done:  How to access TSP Forum if DNS is knocked out

Cache is very limited and not kept very long.
For more important sites, keep an up to date list of domain names -> ip addresses. Update this daily at least.
I was hoping to find a script to do this for me, but I might have to write my own.

Gah!  I did this 6 years ago!  My memory is... what was I saying...?

Offline Morning Sunshine

  • Geese Smuggling Moonbat
  • Survival Veteran
  • ********
  • Posts: 6573
  • Karma: 312
  • There are no mistakes, just Learning Experiences
Re: 10-21 Twitter under DDOS
« Reply #23 on: October 22, 2016, 07:18:07 PM »
Call me a tinfoil hat wearing nutjob but I wouldn't be surprised if this is our own government doing this.


Isn't the internet being turned over to some international group this month?  Related?  :tinfoily:

Offline FreeLancer

  • Global Moderator
  • Survival Veteran
  • ******
  • Posts: 6712
  • Karma: 820
Re: 10-21 Twitter under DDOS
« Reply #24 on: October 22, 2016, 07:37:51 PM »
In a rare weekend post, it sounds like Bruce Schneier suspects the Dyn DDoS is related to the previous Brian Krebs attacks:  https://www.schneier.com/blog/archives/2016/10/ddos_attacks_ag.html

Quote
I have received a gazillion press requests, but I am traveling in Australia and Asia and have had to decline most of them. That's okay, really, because we don't know anything much of anything about the attacks.

If I had to guess, though, I don't think it's China. I think it's more likely related to the DDoS attacks against Brian Krebs than the probing attacks against the Internet infrastructure, despite how prescient that essay seems right now. And, no, I don't think China is going to launch a preemptive attack on the Internet.

Offline archer

  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 17126
  • Karma: 382
  • #ImissAmerica
    • Journey to Greener Pastures