“So far twitter, etsy, soundcloud, spotify, github, pagerduty…crazy that this can even happen” 
De ar fi atat de simplu…
In cazul unui atat DDoS poti fi atacate atat serverele principale cat si cele secundare. Unicast ar putea fi o solutie dar nu am prea mare experienta cu asta.
15:03 UTC: the Dyn Operations team was notified of an issue with Dyn Standard DNS nameservers. The team then immediately began investigating the issue and identified it as a Distributed Denial of Service (DDoS) attack against all five Dyn Standard DNS nameservers. Compounding this issue was a series of wide scale Internet stability issues caused by a software bug in a major networking vendor’s routing code, which affected BGP routing for the a good majority of the Internet. This added complexity in identifying the DDoS vector, ultimately delaying our efforts to begin mitigation of the attack.
3 Likes
Plus asta: Errata Security: Some notes on today's DNS DDoS
Dyn stupidly uses BIND. According to “version.bind” queries, Dyn (the big DNS provider that is a major target) uses BIND. This is the most popular DNS server software, but it’s wrong. It 10x to 100x slower than alternatives, meaning that they need 100x more server hardware in order to deal with DDoS attacks. BIND is also 10x more complex – it strives to be the reference implementation that contains all DNS features, rather than a simple bit of software that just handles this one case. BIND should never be used for Internet-facing DNS, packages like KnotDNS and NSD should be used instead.
2 Likes