If you were on the internet on Friday morning, congrats! You were one of a lucky few who maintained their connectivity in the face of a massive, nationwide DDoS attack against part of the Domain Name System (DNS), a crucial piece of digital infrastructure which, when offline, cripples our ability to access the internet. But despite its importance, the DNS is often overlooked — much like the rest of the behind the scene mechanisms that make the internet work. So before you go resetting your router to see if that clears things up (hint: it won’t), let’s take a quick look at what the DNS does and how it managed to break so spectacularly earlier today.
In the early days of the networking, routing data between two computers might require that you know the target machine’s IP address, a 12-digit string of numbers like 192.168.1.1. Even in the early 1980’s when the “internet” was still the DoD’s ARPANET project and consisted of just 320 interconnected computers, trying remembering all 320 IP addresses would be like trying to memorize the address and occupant of every house in your neighborhood.
So, the internet’s architects developed the DNS, a giant, decentralized database that translates domain names to IP addresses much in the same way that telephone operators used to manually route calls through their switchboards. So when you type “Engadget.com” (aka the top-level domain or TLD) into your browser, the DNS company that hosts that domain converts “Engadget.com” into the 12-digit IP address and routes your request accordingly, starting with the TLD, so that your computer knows where to look for the website data it’s trying to load. What’s more, the DNS automatically updates these registries so if Engadget ever switches hosting companies and its IP address changes, typing “Engadget.com” into a browser will still work.
The DNS is a hierarchical system. At the very highest level, you’ve got the “root servers”. There are 13 of them in all and they handle requests for information about TLDs. So if you type “www.Engadget.com,” it won’t be able to find the exact listing in its zone files — simple text documents that map domain names to their respective IP addresses — but it will return a record of the “.com” TLD and shunt the request to the next server down, the TLD server.
TLD server then looks for “www.Engadget.com” in in its zone file. As before, the TLD server won’t find the full “www.Engadget.com” listing but it will find record of “Engadget.com”. With that information in hand, the request is kicked down to the domain-level servers.
By the time that a request reaches a Domain-level server, it’s only one step away from being fully routed to its destination website. These servers are essentially “the guy who knows the guy” you’re looking for. Domain servers look at the record for Engadget.com, determine that the domain should be www — as opposed to ftp, for example — and then looks up the site’s IP address in their zone files before completing the routing operation.
Normally this all happens on the backend and the process is completely seamless from the user’s perspective. However, hackers can (and just did) attack the companies that run these DNS services. When a service is knocked offline, every site hosted on that DNS goes down as well, unless you know that site’s specific IP address of course.
This is is what US authorities believe happened Friday morning. A group of unknown cyber-attackers launched a huge Dedicated Denial of Service (DDoS) attack — in which small streams of data are funneled to create an unrelenting tide of traffic that overwhelms a site’s servers — against Dyn, a major DNS service. They shut Dyn down for hours. This, in turn, caused a swath of sites that Dyn works for — including Twitter, Spotify, the New York Times, Reddit, Yelp, Box, Pinterest and Paypal — to go dark on Friday morning until the company was able to recover.
Unfortunately, defending against DDoS attacks and the botnets that are used to launch them, is not a particularly easy task. The most common solution, according to CISCO, are firewalls, which act as the network’s watchdog, inspecting data packets and determining their source. If a firewall detects suspicious network activity it will alert the rest of the system. Networks may also incorporate load balancers — systems that spread network traffic out over multiple servers so that no one unit is overwhelmed. Remotely triggered blackholes (RTBH), instead, reroute and drop malicious traffic before it can even enter the network in the first place. Or, if you’re savvy like Pornhub, you’ll simply host your network on multiple registered DNS servers so that even if one goes down, traffic will simply be rerouted to a different service.
That said, there’s no such thing as a perfectly secure network. DDoS attacks like these will continue to occasionally occur for the foreseeable future. But with proper network design and implementation, we’ll be able to mitigate their debilitating effects.