Many questions remain after an unprecedented sequence of distributed denial-of-service, or DDoS, attacks last week...
against Dyn DNS left millions unable to access high-profile websites. The attack disrupted domain name system services beginning Friday morning and continuing through the day. At first, the DNS DDoS mostly affected operations on the U.S. East Coast, with many popular sites reported to be affected, including Twitter, Reddit, Spotify, GitHub and The New York Times.
"This was a sophisticated, highly distributed attack involving tens of millions of IP addresses," Kyle York, chief strategy officer at Dyn, wrote, summarizing the attack that started on the morning of Oct. 21. The Manchester, N.H., provider of domain name services detected the attack's first wave around 7 a.m. EST, and it was able to restore service to its customers within about two hours; a second wave of attacks was detected at about noon.
"This second wave was more global in nature (i.e., not limited to our East Coast [points-of-presence]), but was mitigated in just over an hour; service was restored at approximately [1 p.m. EST]. Again, at no time was there a network-wide outage, though some customers would have seen extended latency delays during that time."
A third attack was attempted, but York noted Dyn was "able to successfully mitigate it without customer impact."
Chester Wisniewski, principal research scientist at U.K.-based Sophos Ltd., noted that while Dyn had detected a huge number of IP addresses involved in the attack -- as many as "tens of millions" -- which could correlate with the number of the internet of things (IoT) devices enrolled in the botnet, it was more likely the number was inflated through the use of IP address spoofing. "Technically, the attack could have originated from a single device, although many believe the number of devices involved in the attack to be somewhere around 50,000," Wisniewski wrote.
Many questions, but few answers
While the what is clear -- a massive DNS DDoS attack that affected millions of internet users -- questions continue to swirl, as experts expose pieces of the puzzle.
Early speculation that the Dyn DNS DDoS attack leveraged the Mirai botnet was reported to have been confirmed by both Flashpoint and Akamai.
"Some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware," security company Flashpoint wrote. However, the company noted that while it "has confirmed that Mirai botnets were used in the October 21, 2016, attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against 'Krebs on Security' and OVH."
Meanwhile, Mikko Hypponen, chief resource officer for Finland-based F-Secure Corp., reported on an ad on a dark web site offering DDoS as a service:
The for-sale ad in question was posted to AlphaBay on October 4th, couple of days after the Mirai source code was published. https://t.co/1bSBI9KvFL— Mikko Hypponen (@mikko) October 23, 2016
Following up on that report, Forbes discovered a seller on the Tor-based Alpha Bay market offering 1 Tbps DDoS traffic, from a 100,000 strong botnet, for $7,500. Forbes reported the seller claimed to have created a Mirai-based botnet just days after the Mirai botnet code was released.
As for who was behind the attack, information security expert Bruce Schneier last month wrote about an entity apparently probing the internet to detect weak points. "Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the internet," he wrote.
However, Schneier did not think the Dyn DNS DDoS was part of that probing effort, nor could it be attributed to China. "I think it's more likely related to the DDoS attacks against Brian Krebs than the probing attacks against the internet infrastructure, despite how prescient that essay seems right now," he wrote. "And, no, I don't think China is going to launch a pre-emptive attack on the internet."
While Chinese hackers may -- or may not -- be behind the attack, many of the IoT devices used in the Mirai-based botnets were manufactured there. One Chinese company, Hangzhou Xiongmai Technology Co. Ltd., a manufacturer of parts for surveillance cameras, said it would recall some of its products sold in the U.S., according to a Reuters report.
One key question that has yet to be answered revolves around attribution. The attacks were carried out, at least in part, with devices enrolled in the Mirai botnet, but there is no indication of who was behind the attacks.
Find out more about DNS DDoS amplification attacks.
Read about how to prepare for large DDoS attacks.