A key building block of the Internet is called the Domain Name System (DNS). DNS phone book servers translate names like www.ih-online.com into numbers a computer can understand: an Internet Protocol (IP) address like 98.172.30.113. On Friday, lots of Internet of Things (IoT) devices, like cameras and digital video recorders, were hijacked and asked phone book servers run by the company Dyn to look up IP addresses for them. Dyn servers had so many requests, they simply could not respond in a timely matter to anyone. When computers could not get the IP address they needed, they could not find their way on the Internet. Web sites became unreachable. All the connections and web servers were fine. If you typed the IP address instead of the name into the browser, the web servers would have responded. Unfortunately, unless you already knew the IP address, you would need to use a DNS phone book server to find it.

Distributed Denial of Service (DDoS) attacks like the one on Friday are pretty hard to stop if you are the target. If an army of machines sends gibberish to a target, that target's Internet link or server will be overwhelmed and disappear from the Internet. These brute force attacks can even overwhelm the target's Internet Service Provider's (ISP's) ability to service other clients by flooding their lines. ISPs will commonly block attacking traffic, but that means the target still is disconnected from the Internet.

Making Dyn the target of the DDoS attack knocked out thousands of web servers at once and millions of people experienced the effects.

The attack was much more successful than it should have been. This is because many companies, like Twitter, have ignored best practices and specified only one company, Dyn, to hold their phone book information. Had they specified an additional phone book provider, and there are millions, to hold phone book information, they would not have gone dark. Making such a change is trivial and DNS phone book services are extremely inexpensive.

Twitter and many of the other companies made their DNS problems worse than they might have been. When you get phone book information from a DNS server, it tells you how long that information should be considered good. Once you cross that time threshold, the information is not to be trusted, so it is thrown away. This allows people to move web and e mail servers around on the Internet from one IP to another. You use the same name, but the number changes. Setting an expiration time also allows you to do some load balancing between multiple servers on the Internet as the initial response may be to use IP address A and the next response is to use IP address B. But.... If the expiration time is too long and you move a server from one IP to another, people who have the old IP address information will keep trying to go to that address and get no response. If the time is too short, you will needlessly ask phone book servers over and over for the same IP address. This puts additional load on DNS phone book servers and increases the likelihood that you might have an issue getting a response. Those companies who had short expiration times in the Dyn phone book had more problems than they might have had otherwise. Companies that used longer expiration times experienced fewer problems because the information people needed could have already been learned before the attack and marked as still valid, so no look up was needed. Until that information expired, these customers could reach the web sites they wanted.

Many companies use an additional trick that can cause problems as well, redirection. When you look up www.ih-online.com, the answer comes back that there has been a name change, so look up www.ibm.com instead. Now you have to do *two* DNS lookups. Not only can this cause delays in displaying web sites, if either lookup fails, you cannot get the IP address you need. For example, if the first DNS server responded with a new name that only Dyn knew about, you would be out of luck.

Think that this could not happen to you? These are major corporations and they had (and still have) DNS configuration issues. Many federal government sites do as well. 95% of the time I see something in an organization's DNS that can be improved so that their mail is delivered more reliably and with less chance of being spoofed, so they can stay "on the air" more reliably, etc. Years ago, I tried to get the FBI to fix DNS and e mail issues. They thought they were fine. Six months later, massive numbers of scam e mails went out that looked like they came from the FBI. It turned into a denial of service attack that basically cut their Internet connection.

If you want to know more about DNS, I recommend the very readable "DNS and BIND" book. Cricket Liu and Paul Albitz are now in the 5th edition of this book and it is the key reference work for anyone on the subject of DNS.

Forget Me Not