How Twitter, Amazon, and others were impacted by last Friday's DDOS attack - and what you might want to do about it.

October 25, 2016, Kennet Westby, President and COO

Our partner, Chertoff Group issued the following advisory.

Client Advisory: October 21 distributed denial of service (DDoS) attack

A major distributed denial of service (DDoS) attack recently (10/21/16) disrupted Internet communications throughout parts of the United States in several waves, and there is growing concern over a number of increasingly disruptive DDoS events that have occurred over the past several months. While facts are still unfolding, the Chertoff Group offers the following situational awareness on recent events and selected mitigation measures to consider.

The October 21 Attack

  • Dyn, a firm that provides core Internet services for large companies, suffered a DDoS attack on its DNS (Domain Name System) infrastructure during the early morning (beginning around 7am ET) of Friday, October 21. A DDoS attack leverages a large volume of compromised, or poorly configured devices, to flood a victim with unsolicited traffic. This flood overwhelms the targeted system, degrading or discontinuing service.
  • Dyn manages and analyzes Internet traffic for many large companies that have a significant web presence. The attack targeted Dyn’s DNS servers, which resolve alphanumeric DNS names (e.g., ) to the IP addresses that computers use to communicate with each other. The system enables users and devices to conduct core Internet functions like web browsing and email transmission.
  • The scope of the impacts is not yet fully known. Although DDoS conditions were limited to the U.S. east coast earlier Friday, later reports also indicated impacts in other parts of the country. The regional nature of the impacts could be attributed to attackers concentrating DDoS traffic on servers that resolve DNS for a specific region within a global content delivery network (CDN), although we have no confirmation this is the case.
  • Dyn reported several waves of attacks over the course of the day. Prominent companies like Twitter, Amazon and Spotify were reportedly degraded for varying periods of time.

Recent Trends and Context

  • There has been a growing concern across a number of sectors on emerging DDoS threats and the potential for widespread impact on the US economy.
  • Several other recent DDoS attacks have demonstrated unprecedented potency. Attacks in August and September on cyber blogger Brian Krebs’ website, Olympic websites, and French Internet Service Provider OVH have reportedly ranged between 500 gigabits per second (Gbps) and 1 terabit per second (Tbps). By way of comparison, the 2012-2013 DDoS attacks suffered by major banks, unprecedented at the time, were a fraction of this size (news reports indicated 60 Gbps).
  • Recent attacks have leveraged compromised Internet-of-Things (IOT) devices. The malware source code used to compromise these devices has recently been published (see recent US-CERT Alert on the topic). The Dyn attack reportedly leveraged this malware. We are concerned that, as the volume of compromised IOT devices increases, so does the potential scale of follow-on DDoS attacks that leverage such devices.
  • Given the geopolitical climate, including the announcement by the U.S. Intelligence Community attributing recent election-related data intrusions to Russia, along with the 2007 DDoS attacks on Estonia that a number of sources have also attributed to Russia, there is speculation about a nation-state role. However, given the public release of the malware used in the Krebs attack and its apparent use in yesterday’s event, a number of other threat actor scenarios are also plausible. More generally, some experts have also expressed concerns about DDoS attacks launched by disgruntled/lone wolf actors who do not fully appreciate the cascading ramifications of such an attack.

Potential DDoS Impacts

The potential impacts of these DDoS attacks are numerous and can impact any enterprise that relies on the Internet to do business, including:

  • Availability of targeted corporate IT networks (corporate websites, email, cloud applications, etc.).
  • Operation of IOT and industrial control systems exposed to the Internet.
  • Secondary impacts caused by cascading effects from a more directly targeted (or less well protected) third party.

Steps to Consider

The DDoS risk should not be viewed simply as an IT risk – it constitutes an enterprise risk and should be treated as such. Immediate steps for our clients to consider include both IT/IOT and non-IT/IOT measures:

  • Ensure that any IOT default passwords have been changed (both to prevent device compromise as well as to ensure that your organization does not become an unintended DDoS attack weapon).
  • Limit Internet-facing devices as much as possible.
  • Where possible, update Internet-facing devices with security patches as soon as patches become available.
  • Review, and update as needed, service level agreements (SLAs) with DDoS mitigation providers.
  • At the enterprise level, review business continuity plans for consideration of potentially extended periods of degraded/lost Internet service, both for your organization and critical third party service providers.
  • Consider the development of a DDoS risk management strategy (if not already in place), including preventive, detective, response and recovery-related measures.
Kennet Westby


Kennet Westby — President and COO

Recent Posts

Post Topics