How did the denial of service (DDoS) attack that took down Twitter, Netflix and Github work?

By Gavin Phillips @ Cowshed Works Ltd

Blog Picture

As with countless other users of websites and services like Twitter, Netflix, Github, AirBnb etc, I noticed the outage on the 21st October after trying to log in, the connection was hanging and ended up with a DNS error. I realised after a short while that what I was witnessing wasn't an error or sackable offence by someone at Twitter but actually an attack on the underlying infrastructure of the web. To understand what happened I'll go through a brief overview of the technologies affected and then explain how they were rendered useless by this attack.

The target: DNS

DNS stands for Domain Name System and is the technology that allows human friendly domain names like cowshedworks.co.uk to be translated into computer network addresses (IP addresses) like 194.116.174.148. The system is decentralised to allow it to be fault tolerant and remove the need for a central database. Essentially it works by domain names assigning two (or more) name servers to be in charge of its lookup records. These two name servers are the authoritative name servers for that domain. The look-up process goes something like this...

  1. The user enters cowshedworks.co.uk into their browser
  2. The browser tells the operating system it wants to route a request to the machine handling services for this domain
  3. The operating system queries the name servers it's set up to use (usually the ISP's name servers) for the IP address of cowshedworks.co.uk
  4. Assuming the name servers haven't cached the name they won't know the answer so will have to ask the internet domain root servers to find out the names of the TLD (top level domain) servers for this domain (in this case .co.uk)
  5. The name server then queries the TLD name servers for the authoritative name servers for cowshedworks.co.uk
  6. The name server then queries the cowshed works authoritative servers for the IP address
  7. The name server returns the IP address to the operating system, which passes it back up to the browser, the browser can now build its HTTP (or better still HTTPS) request


DNS, then, is essentially the sat nav of the internet, without it nothing is going anywhere.

The attack vector: DDoS via botnets

Excuse the term attack vector, it just sounds like something Jack Bauer would say and that's good enough for me.

DDoS (distributed denial-of-service) isn't overly complicated to explain, Distributed = from lots (millions) of internet connected computers and devices, Denial of Service = the service being attacked is denied to users as it struggles to cope with the attack.

It's a fairly unsophisticated form of attack whereby millions of requests are directed at web services (web servers, DNS servers, email servers etc), this overwhelms them and prevents them from fulfilling requests.

Botnets are as complicated as they are diverse but it's enough to understand that they are essentially an 'army' of computers and devices that have been hijacked by malware. They 'listen' for commands from a controller and will attempt to carry out the commands once instructed, in this case the command was repeatedly hit this web service with requests.

The attack on the 21st October

The attackers, whoever they were, started unleashing the botnets at the DNS name servers operated by a US based internet company called DYN, they provide (were providing) DNS services to several major websites and internet companies. The attack started at around 11am and progressively worsened over the following hours, the usual safeguards put in place to mitigate DDoS attacks weren't up to the force and shape of this attack.

As name servers around the world tried to look up the IP addresses of the domains managed by DYN they were met with hanging connections, this meant the request couldn't be resolved and returned back to the client.... hence the hanging connection and ultimate DNS error. This is what millions of us were seeing, a denial of our favourite services caused by an unseen / unknown army of compromised computers and devices.

The IoT connection

What's unusual about this attack is that it utilised a regiment of connected IoT (internet of things) devices in the botnet army (excellent use of a military analogy there I think you'll agree).

It's hard to comprehend this but while you were sat there trying to check your twitter timeline your fridge, router and toaster were attacking the servers that were trying to help you access your favourite sites and apps.

What's troubling about this is that many people have long been criticising the poor security of IoT devices and the need for companies to take a step back and look at this issue before steaming ahead with selling these items into the mass market.

Try not to lose any sleep, it's not as if there are things like power stations and other critical infrastructure online that could be..... oh.

Author: Gavin Phillips
Published: Nov 8, 2016 (2 years ago)

Work with Cowshed:Works

Ready to start your next website or app project? Give us a call or send us an email.



© Cowshed Works Ltd: UK Staffordshire-based website design, build and management

VAT: 251 4480 22 - Registered in England: 10399485

Terms: Website | Service