[WARNING] DDoS attack underway against DNS host Dyn

Not having issues show up, just about all my clients use OpenDNS as their forwarders (I like the extra layer of malware protection).

I'm running pings to various DNS servers...and OpenDNS is the lowest times. However OpenDNS has an advantage, they "cluster" their servers spread out globally, with Anycast routing. Ping 208.67.222.222 and it could go to any of thousands of locations...but ODNS will route it to one located geographically closest to you. DDOS can't easily take them down like it could to typical single location DNS servers.
 
"..until the elite cease and desist their agenda of a New World Order and abandon their plans of a One World Totalitarian Government."- Ridiculous Alex Jones type conspiracy nonsense. Name one country willing to give up its autonomy.
 
Forgive my ignorance here but isnt this kind of thing all about what you have cached and what your dns server currently thinks the ip is?

So you can't say i'm using so and so and im fine because maybe you have the correct info cached or maybe ur dns server ur connected to has the correct info. You could however try something like https://dnschecker.org/ to check the results of a bunch of dns servers and then use the ones returning the appropriate ip.

Right right? or no? My networking is weak.
 
You are correct...to a point. There is a setting controlled by the top DNS server that controls the domain (say..computerrepairtech.com), which all DNS servers below that must follow...and that is called the "TTL"...Time To Live".

Historically this used to be 24 hours (86400 seconds). More commonly it's less than that, especially for some high SLA services with redundant or failover sites, it's often as low as 900 seconds now. (15 minutes) (even less probably)
Meaning...say you run a DNS server on your local network...you go lookup a site (www.computerrepairtech.com0 the first time, your workstation will query your DNS server...it will not have it cached locally from a prior lookup, so it will go upstream to the DNS forwarder up on the internet like your ISP or OpenDNS or GoogleDNS) it has and grab that record. It will hold that record for 24 hours...for example (if the TTL of that domain computerrepairtech was defaulted to 86400 seconds...additional visits that day will respond fast because your DNS server caches it for 24 hours. But the following day, after 24 hours, it will "flush itself" from the DNS server and the DNS server will have to turn to its forwarder again.

There are other variables, and some DNS servers will ignore the original TTL and cache records longer. There are pros, and cons, to this.


ComputerRepairTech said:
Forgive my ignorance here but isnt this kind of thing all about what you have cached and what your dns server currently thinks the ip is?

So you can't say i'm using so and so and im fine because maybe you have the correct info cached or maybe ur dns server ur connected to has the correct info. You could however try something like https://dnschecker.org/ to check the results of a bunch of dns servers and then use the ones returning the appropriate ip.

Right right? or no? My networking is weak.
Click to expand...
 
YeOldeStonecat said:
You are correct...to a point. There is a setting controlled by the top DNS server that controls the domain (say..computerrepairtech.com), which all DNS servers below that must follow...and that is called the "TTL"...Time To Live".

Historically this used to be 24 hours (86400 seconds). More commonly it's less than that, especially for some high SLA services with redundant or failover sites, it's often as low as 900 seconds now. (15 minutes) (even less probably)
Meaning...say you run a DNS server on your local network...you go lookup a site (www.computerrepairtech.com0 the first time, your workstation will query your DNS server...it will not have it cached locally from a prior lookup, so it will go upstream to the DNS forwarder up on the internet like your ISP or OpenDNS or GoogleDNS) it has and grab that record. It will hold that record for 24 hours...for example (if the TTL of that domain computerrepairtech was defaulted to 86400 seconds...additional visits that day will respond fast because your DNS server caches it for 24 hours. But the following day, after 24 hours, it will "flush itself" from the DNS server and the DNS server will have to turn to its forwarder again.

There are other variables, and some DNS servers will ignore the original TTL and cache records longer. There are pros, and cons, to this.
Click to expand...
Many sites and services even suggest 5 minute TTLs. Longer TTLs could help if your DNS servers or one in between get attacked, but are terrible if your site is attacked, or if you need to rapidly change hardware/IP/location.

It is still a common ISP DNS issue where ISPs will cache longer than the reported TTL. Way back in the day (We're talking 20 years ago), it was beneficial to ISPs, because DNS lookups could become such a high bandwidth usage item, instill even more slowness in the internet, so a lot would cache longer (In some instances, WELL over the TTL. I know one ISP who would cache for a week.) As time went on, they would do post-lookups. For example, If the DNS forwarder had a domain, but it was past the TTL, when it would get a request, it would forward the existing lookup immediately, but during/after, it would go and refresh the record on it's own. It would result in maybe 1 person with a failed DNS entry, but the odds were low. Nowadays, with such a large base and bandwidth going up, it's not as critical, but it is creeping again, especially with such short TTLs.

From my understanding, the reason that OpenDNS (and limited, GoogleDNS) did not go down during this time, wasn't that they don't honor TTLs. I went digging as to why they didn't have near the issues, was that they not only do caching, but because they will continue to cache the DN information if it can not reach the original DNS server it was attempting to talk to. I'm not sure the timeframe on how long this occurs for, but clearly, they do this.

I'm slightly concerned at the 'repeated' attacks through the day, now that I've learned this. The initial attack I believe was to see what kind of cascading failure they could cause. The further attacks through the day I suspect that it was to see how long GoogleDNS and OpenDNS would hold the cached data for. The attacks have been ramping up, and it's clear this new botnet is quite capable of sustaining an attack, with very high bandwidth. I wonder if the next DNS attack will target Dyn, GDNS and ODNS simultaneously.

Unfortunately, the nature of DNS, it is probably the weakest point of the Internet. I've pondered if we could come up with a distributed DNS service which wouldn't be able to be directly attacked or poisoned. I wondered if something similar to bitcoin in 'verification', something as hard to target as torrent, but also capable of having 'local' or ISP rapid lookups. Even if it were a distributed DNS system between all forwarders, and do away with the root DNS servers which are bound to be hammered eventually.
 
Just to add: Reason Facebook, and many, MANY other sites went down, was mostly due to short TTLs, combined with a lot of how cloud technologies work now. In an attempt at redundancy, speed, distribution, and CDN, they've now weakened themselves to DNS issues. For example:

www.facebook.com CNAME star-mini.c10r.facebook.com TTL 60m
star-mini.c10r.facebook.com A <ip> 60s

So, in reality, 60s after a DNS attack starts, facebook WILL go down. And it could take facebook up to 60m (Some situations 2 hours) to even attempt to rectify the DNS issue. I'm actually kind of shocked that facebook hasn't changed their TTL structure to minimize damage like the other day.

Edit: More I look at FB's DNS records, more it leaves my head scratching.
 
NYJimbo said:
"..until the elite cease and desist their agenda of a New World Order and abandon their plans of a One World Totalitarian Government."- Ridiculous Alex Jones type conspiracy nonsense. Name one country willing to give up its autonomy.
Click to expand...

I know. Unfortunately yeah a good lot of them go so far left they end up being on the right, in the scary stupid territory of Alex Jones and nonsense conspiracy BS.
 
You must log in or register to reply here.

Similar threads

nlinecomputers
Next Year, Your Computer Will Automatically Prompt You to Upgrade to Windows 10
Replies
8
Views
1K
cypress
cypress
PBComputer
Microsoft Is Bringing the Start Menu Back
3 4 5
Replies
86
Views
12K
nlinecomputers
nlinecomputers
Back
Top