Thursday, October 27, 2016

New Stats on Dyn DDoS Attack Size

Imperva Releases More Information on the Dyn Attack

Ofer Gayer, product manager at Imperva for the Incapsula product line, explains:

“There is still quite a bit of speculation swirling on the size of the DDoS attack on Dyn last Friday. We know there were 100,000 Mirai botnet nodes – which is not especially large in our experience. So, in our estimation, there are two likely causes. The attack may have been a high-volume attack – over 500 million packets per second – that overwhelmed the Dyn infrastructure. Or, the attack may have been relatively small – 50-100 million packets per second – and the attack itself was “amplified” by what is known as a retry storm from their millions of legitimate users, making the job of differentiating between good and bad traffic very hard.”
Additional Information:

Q. Is a 100,000-node botnet big?
A. Not really.  Example of a 180,000-node botnet mitigated

Q. Are DNS services especially vulnerable?
A. They do suffer from being open systems:

"Effective DDoS mitigation is synonymous with accurate traffic filtering. For that reason DNS amplification attacks are actually easier to deflate as all uninitiated DNS responses are highly suspect and could be filtered on-edge, without any impact on the regular traffic flow. For example, one could categorically drop all unexpected DNS responses to port 53.

However, this isn’t the case for seemingly legitimate DNS flood queries, which cannot be dismissed before they are individually processed at the server level.

With on-edge filtering bypassed, and the path to the server CPU cores laid wide open, DNS floods have the potential to bring down even the most resilient of networks. "

Q. How can companies prevent attacks on their DNS infrastructure?

Q. Is Mirai that sophisticated?

Q. Has the Incapsula network been hit with Mirai?

Q. What’s a big DDoS attack measured in million packets per second (Mpps)