[DNSOP] Large DDoS attack today against Dyn Managed DNS
Dan York <york@isoc.org> Fri, 21 October 2016 14:07 UTC
Return-Path: <york@isoc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21FE5129442 for <dnsop@ietfa.amsl.com>; Fri, 21 Oct 2016 07:07:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0zToTE10RREr for <dnsop@ietfa.amsl.com>; Fri, 21 Oct 2016 07:07:17 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0040.outbound.protection.outlook.com [104.47.41.40]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F80A1293FE for <dnsop@ietf.org>; Fri, 21 Oct 2016 07:07:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.onmicrosoft.com; s=selector1-isoc-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=n6J1/WCgtfkKsMnFI3LHBMtNotGxNiIixOiwzHJws6Q=; b=braBR7KrrW6qYIthWnp7xb5UQrZtpCH7uAfw6NXOwN/4TVmQ1ARB830kWwJIHjPo1LN2ILNS8R9mpQQbxgPRf1vHA+y+YCc6MpvZE8D+77w71IJSvhVbb0b8pzsDy+fsZ7vp5MYn7BvU4oS4JX0KONc1a+GI2D2+ZQaiSibWmnU=
Received: from CY1PR0601MB1657.namprd06.prod.outlook.com (10.163.232.19) by CY1PR0601MB1659.namprd06.prod.outlook.com (10.163.232.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.669.16; Fri, 21 Oct 2016 14:07:15 +0000
Received: from CY1PR0601MB1657.namprd06.prod.outlook.com ([10.163.232.19]) by CY1PR0601MB1657.namprd06.prod.outlook.com ([10.163.232.19]) with mapi id 15.01.0669.018; Fri, 21 Oct 2016 14:07:15 +0000
From: Dan York <york@isoc.org>
To: dnsop <dnsop@ietf.org>
Thread-Topic: Large DDoS attack today against Dyn Managed DNS
Thread-Index: AQHSK6RtB7yTIQIt/0C33NU1dRZZ2Q==
Date: Fri, 21 Oct 2016 14:07:15 +0000
Message-ID: <58C7D7B1-C51C-42C5-A5BD-09D67A311B5B@isoc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=york@isoc.org;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [74.69.229.215]
x-ms-office365-filtering-correlation-id: e968540d-0ec5-4c72-d9e5-08d3f9bb8fec
x-microsoft-exchange-diagnostics: 1; CY1PR0601MB1659; 7:vwJ5nEC72gaK5HW2K8qvbMBewHOSyYsV3wCroa3nlaJC0BSw3+QXxSp2j3Yj/rrkPZnRqIAGT5v5e/MxxydEph4AFmgj4+7kXUTyMetRUx8gy01d+VRUYHqCONurme6xlvM36JQi/EDKGODLdyoOkG9Ww/r+t3z0UDIU2B/GiLliQ1XFwDtZj+/IQQjiga+UiWo2O+Qwrct6KQXLslYyS7ykrJq/XnL2I+kTvEXoNsIIA7Szn68TGiT/e2AF2NB1u3W5AdOALu/Iw5R1UpKd88PaF1OI8/Sq3kPSQ5pqwO67dQ6VByJrPBlCrK8jJ0m8bb+1nQLyOsPYlGXk8HXFilPzgku/6JtEDQuyj5pkLn4=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0601MB1659;
x-microsoft-antispam-prvs: <CY1PR0601MB1659009F4C63A569EA200371B7D40@CY1PR0601MB1659.namprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(148322886591682)(31418570063057);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001); SRVR:CY1PR0601MB1659; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0601MB1659;
x-forefront-prvs: 01026E1310
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(199003)(69234005)(189002)(77096005)(2900100001)(19580395003)(81166006)(66066001)(87936001)(81156014)(82746002)(189998001)(8676002)(3846002)(105586002)(92566002)(97736004)(450100001)(107886002)(83716003)(68736007)(36756003)(122556002)(3660700001)(15975445007)(86362001)(15395725005)(7906003)(2906002)(3280700002)(110136003)(54356999)(6116002)(19580405001)(5002640100001)(19617315012)(586003)(102836003)(8936002)(229853001)(7736002)(33656002)(106356001)(106116001)(5660300001)(10400500002)(16236675004)(7846002)(101416001)(50986999)(99286002)(11100500001)(6916009)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:CY1PR0601MB1659; H:CY1PR0601MB1657.namprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: isoc.org does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_58C7D7B1C51C42C5A5BD09D67A311B5Bisocorg_"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Oct 2016 14:07:15.6354 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0601MB1659
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IcsO6LCV6m8W5F6d3fdRRgZTypk>
Subject: [DNSOP] Large DDoS attack today against Dyn Managed DNS
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 14:07:20 -0000
FYI, there was a large DDoS attack against Dyn's Managed DNS today that affected DNS info for major sites such as Twitter, Github, Spotify, SoundCloud, Box, Etsy and many others. Dyn's page is here: https://www.dynstatus.com/incidents/nlr4yrr162t8 There's predictably a Hacker News thread: https://news.ycombinator.com/item?id=12759697 I don't yet see any more info about the specific incident, but hopefully something will be posted at some point. If anyone does see any summaries or investigation, I would appreciate knowing the links. I realize there isn't a direct connection to IETF documents in DNSOP, but thought this might be of interest to others on the list. Dan -- Dan York Senior Content Strategist, Internet Society york@isoc.org<mailto:york@isoc.org> +1-802-735-1624 Jabber: york@jabber.isoc.org<mailto:york@jabber.isoc.org> Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/