Things need to get more distributed. Don't load Jquery from some central site. Don't load fonts from Google. Make sure your site will work if all the trackers and ad sites are not responding. Use multiple independent DNS providers.
It's also time for serious litigation. Find some vulnerable IoT device being used for the attack, and sue the retailer, distributor, and manufacturer for negligence. Junk IoT manufacturers need to feel fear.
We've reached the point where any clueless business type who pooh-poohs and wishes away security concerns needs to get the idiot bit flipped on them. Today's networked computing environment has reached the point, where this stuff is toxic. It might have been okay for a few isolated frontier weirdos to play with mercury to extract gold, but then when that became a full blown industry, it resulted in toxic consequences we are still dealing with over 150 years later. Maker hipsters playing with a few hardware hacks did little harm. Now that IoT is becoming household, the situation has changed in an analogous way.
As you said, the only protection (somewhat) is to have redundant/multiple DNS providers. Doesn't mean Dyn can't be one of many.
Dyn will almost certainly remain as one of those two or three.
Not sure, but isn't this yet another beacon?
This attack is notable because it expsoes a single point of failure for a lot of popular sites. The long-term fix is to distribute that SPOF so it's not so tight a bottleneck. This is as easy as specifying nameservers from multiple providers, or as complex as a distributed DNS system such as namecoin.
The internet is a giant cascade of constant failures, and developing for it is an exercise in planning for failure. This isn't new - if it appears new, it's just that most engineers have done their jobs well. What will happen out of this is that the people trusting all their DNS traffic to Dyn will start trusting only half of it to Dyn, and the next time Dyn is knocked out, the people who have diversified against that contingency won't be practically affected.
Spamhaus was historic in 2013 at 75GBPS. In 2014, Cloudflare mitigated a 400GBPS attack. The BBC attack earlier this year crested 600 GBPS. Last month, OVH was hit with a 1TBPS attack. Each of those was mind-bogglingly large at the time, and infrastructure has continued to evolve to deal with them. This attack isn't anything particularly different - it's just notable because it's visible, not because it happened.
Opt-in, maybe have an association run it (like an IX, but without the expensive dinners and dues and general activism which inflates IX budgets), etc. This would do more for "critical infrastructure protection" than anything DHS/NSA/FBI have ever done.
There's no reason for a computer to not be able to find a site I've been visiting every day for the last year. DNS data should be cached for at least 48 hours -- TTLs should be set to at least this.
People have been painfully reminded why using multiple providers is best practice, will re-evaluate if that's worth the expense and if yes add other servers. Dyn will easily survive unless some massive blunder is exposed in the aftermath.
The people who depend on DNS have one DNS-related job: to mitigate risk relative to their potential losses and existence.
Lots of people will quit using Dyn as a sole DNS, but I don't see any reason they'll quit being involved in people's multiple DNS solutions.
The 2013 attack was <1% of total internet traffic for its duration. The 2014 Cloudflare hit was ~2.5% of all traffic. BBC was ~3%, and OVH was ~4%. (Interpolated from Cisco here: http://www.cisco.com/c/en/us/solutions/collateral/service-pr...) Most predictions suggest that IoT attacks will grow faster than what we've already seen, and a rough estimate suggests that DDoS capacity is growing faster than legitimate capacity.
None of that means today was orders of magnitude higher - the shock factor was that it exposed a structural weakness people hadn't accounted for. But I expect this to become an increasingly significant problem as capacity increases, and moreover as that capacity becomes available to more attackers.
The reporting on this has really annoyed me because the writers writing about it have pretty consistently said that GitHub, Twitter, PayPal, etc have all been knocked offline, which is just untrue. They have unresolvable names - resolve their names and they're working just fine. The fix is improved resilience in name resolution, and it's not a terribly hard fix. Someone in the other thread noted that PornHub is managing just fine despite using Dyn DNS - because they also route half their DNS traffic to UltraDNS.
Attacks like this are certainly a big problem, and are going to become a bigger problem, but IMO, the Chicken Little sky-is-falling hysteria is unwarranted and unuseful.
I've been really selective with the reporting I checked, and so most everything I've seen has been either BBC-bloodless ("these sites are inaccessible, because a DDoS attack happened"), or TheRegister-sophisticated (assumes the reader knows what DNS is). A quick look at what other people have been running explains your general sentiment. This isn't the end of the world, and running stories saying "IoT WILL KILL US ALL" isn't making anything better.
So fair enough: I think this is a serious issue, and today's events revealed that people haven't been properly prepared. But pitching it as something totally unpredictable is downright dishonest.