Written with the assistance of Dan Dahlberg, Ethan Geil, and Ross Penkala.
Last Friday morning, a distributed denial of service (DDoS) attack was carried out against Dyn, a managed DNS provider that offers Internet services for Twitter, Reddit, Spotify and countless others, causing massive outages for these and many of Dyn’s other customers. As a DNS provider, Dyn translates website names into real IP addresses. The DDoS attack caused intermediate issues for translations that had been cached previously and severe outages for everything else.
Websites are particularly vulnerable to a DDoS attack on a DNS provider because their domains are often only hosted with one provider. That’s why it’s not surprising that this isn’t the first time a DDoS attack has been launched against a DNS provider. In fact, back in May, an attack took down NS1, another widely-used DNS provider and millions of websites around the globe experienced outages and slowdowns.
How The Attack Occurred
It’s been reported that this outage was caused by the Mirai botnet, which was also identified in the enormous DDoS attack launched against security journalist Brian Krebs. BitSight tracks the Mirai botnet around the globe:
Why it Matters
This outage was a perfect illustration of how businesses today are highly interdependent. Many companies relied on Dyn in order to run their web services. While some turned to other DNS providers during the outage, a large number of businesses suffered significant downtimes for their sites. For E-commerce businesses such as Amazon and Etsy, disruptions such as these can result in the loss of a substantial number of potential sales.
For businesses using customer support platforms like Zendesk, it may mean that support tickets become backlogged and unresolved. Other platforms, like Spotify and Twitter, rely on these services to support their consumer-facing product and may have to pay back adertisers on ad impressions lost.
BitSight's comprehensive database of service provider relationships affords us a unique perspective on the tightly interconnected IT ecosystem. The chart below shows the number of domains using Dyn Managed DNS for companies affected by the outage. This chart shows that roughly 3500 companies had at least one domain using Dyn. The more telling number is on the far right, which shows that around 500 companies were using Dyn Managed DNS for 100% of their owned domains. These businesses likely experienced the most severe disruptions. It’s worth noting that there are other, more widely-used DNS providers. A similar attack on a larger provider could produce an even more widespread and severe disruption.
It is also interesting to note the proportion of companies affected varied by industry. The chart below shows this breakdown for all companies who had at least one domain using Dyn’s Managed DNS service. Media and Entertainment businesses were affected the most, followed by Technology. This reflects initial reporting that Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were among the prominent companies affected. Looking at the number of fourth parties - companies who relied on service providers who used Dyn for DNS services -this number jumps more than 50%.
How To Tackle Cyber Risk Aggregation
For cyber insurers, this outage shows how a common threat can impact an entire book of business, leading to potentially significant policyholder payouts. With many businesses relying on a single DNS provider, single points of failure are a major challenge for insurers underwriting cyber risk. Depending on their policy, some businesses using Dyn for DNS services may be able to submit a claim and recoup some of their costs.
So how can insurers prepare for this kind of risk aggregation? Insurers can work to build a diverse book of business with different DNS providers (and other service providers) to avoid mass outages amongst their insureds. BitSight Discover for Risk Aggregation allows companies to do this by identifying dependencies between their book of business and common service providers. Over time, we expect insurers and enterprises to weigh the risks that common service providers pose to their digital ecosystems.
With companies increasingly adopting cloud applications, enterprises will need to be aware how their critical third parties use the cloud. Typical questionnaires and assessments often do not reveal which services your third parties rely on. To avoid business disruptions and significant outages, identifying these relationships is critical. See how BitSight Discover for Enterprises allows businesses to start managing concentration risk that stems from the use of cloud service providers.