Incident Responsecritical

Dyn DDoS Response: When a Third Party's Outage Takes Down Half the Internet

The October 2016 DDoS attack on Dyn — one of the internet's major DNS providers — knocked Twitter, Netflix, Reddit, GitHub, Spotify, and hundreds of other sites offline for most of a day. Dyn's incident response restored services in waves over 11 hours.

Dyn / Internet Infrastructure·2016·2 min read

Background

Dyn provided authoritative DNS services for many of the internet's most visited websites. DNS is the internet's phone book — when Dyn's servers went offline, domains that used Dyn's nameservers became unreachable. The Mirai botnet (600,000 IoT devices) targeted Dyn with 1.2 Tbps of traffic.

The Attack

The attack began at 7:00 AM EST on October 21, 2016. Three waves of DDoS traffic overwhelmed Dyn's infrastructure at different times throughout the day. Dyn's engineering teams worked to mitigate each wave: scrubbing traffic, blocking malicious IP ranges, and routing traffic to unaffected infrastructure. The challenge was the scale and geographic distribution of the attack — Mirai's 600,000 devices were distributed across 164 countries, making IP-based blocking impractical.

Response

Dyn restored services partially after 2 hours for the first wave. The second and third waves required additional mitigation cycles. Full service restoration took approximately 11 hours. Dyn published a detailed incident report. Oracle subsequently acquired Dyn and integrated it into cloud services with redundant infrastructure.

Outcome

The Dyn attack was the largest DDoS ever recorded at the time. It demonstrated that a single DNS provider's outage could cascade to hundreds of major internet services. The incident drove adoption of multi-provider DNS strategies and DDoS mitigation scrubbing centre services.

Key Takeaways

  1. Critical services must use multiple DNS providers simultaneously so a single provider's outage does not cause complete unavailability
  2. DDoS mitigation requires geographic distribution of scrubbing capacity — single-region mitigation is insufficient for global attacks
  3. Incident communication during infrastructure outages must provide regular public updates to manage downstream service operators
  4. Third-party DNS, CDN, and cloud provider outages create cascading failures — map your single points of dependency

How to Prevent This

All guides
beginner

Use multiple DNS providers simultaneously to eliminate single points of failure

The Dyn DDoS attack in 2016 knocked Twitter, Netflix, Reddit, GitHub, and hundreds of other major services offline for most of a day — because they all relied on Dyn as their sole DNS provider. When Dyn's infrastructure was overwhelmed, those domains became unreachable for anyone using an unaware resolver. Configure your authoritative DNS with at least two independent providers simultaneously. Both Cloudflare and AWS Route 53, for example, offer distinct infrastructure and BGP paths. Traffic will route to whichever provider responds first, ensuring availability if one is attacked.

See: Dyn DDoSNetwork Security
DDoSDNSMiraiinternet infrastructurecascade failure

More in Incident Response

2024critical

CrowdStrike: A Faulty Update Crashes 8.5 Million Windows Machines Worldwide

2 min readIncident Response
2013critical

Target Breach IR Failure: Security Team Saw the Alerts and Did Nothing

2 min readIncident Response
2017high

GitLab Production Database Deletion: 5 Failed Backups and a Live Stream

2 min readIncident Response