This content is part of the Essential Guide: How the Mirai botnet changed IoT security and DDoS defense
News Stay informed about the latest enterprise technology news and product updates.

Details emerging on Dyn DNS DDoS attack, Mirai IoT botnet

As more details emerge on last week's massive Dyn DNS DDoS, new analysis indicated as few as 100,000 Mirai IoT botnet nodes were enlisted in the incident and reported attack rates up to 1.2 Tbps.

More details are coming out about last week's massive DNS DDoS attack. And although the incident is still under...

investigation, domain name server provider Dyn posted a more detailed analysis of the distributed denial-of-service attack.

Initial results indicated the attacks originated from at least one Mirai internet of things (IoT) botnet, and Dyn estimated as many as 100,000 endpoints were involved -- far less than the original report of "tens of millions of IP addresses" -- but enough to generate unverified reports that the volume of the attack traffic reached as high as 1.2 Tbps.

"Early observations of the TCP attack volume from a few of our data centers indicate packet flow bursts 40 to 50 times higher than normal. This magnitude does not take into account a significant portion of traffic that never reached Dyn due to our own mitigation efforts, as well as the mitigation of upstream providers," wrote Scott Hilton, executive vice president of products at Dyn, based in Manchester, N.H., in an updated analysis of the DNS DDoS. "There have been some reports of a magnitude in the 1.2 Tbps range; at this time, we are unable to verify that claim."

Hilton explained the early estimates of tens of millions of IP addresses were due to "the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data, but the estimate at the time of this report is up to 100,000 malicious endpoints."

"We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets," Hilton wrote. "Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers."

Dyn's defense against the DNS DDoS began with its automated-response techniques, but after the magnitude of the attack became clear, Hilton wrote that additional mitigation tactics were used. "These techniques included traffic-shaping incoming traffic, rebalancing of that traffic by manipulation of anycast policies, application of internal filtering and deployment of scrubbing services."

Insight into Mirai IoT botnet

Meanwhile, Arbor Networks Inc. researchers provided further insight into the Mirai IoT botnet, finding the original Mirai botnet included roughly 500,000 IoT devices, with clusters around the world, including in China, Hong Kong, Taiwan, South Korea, Southeast Asia, Brazil, Spain and elsewhere.

"Mirai is capable of launching multiple types of DDoS attacks, including SYN-flooding, UDP [User Datagram Protocol] flooding, Valve Source Engine query-flooding, GRE [Generic Routing Encapsulation]flooding, ACK-flooding (including a variant intended to defeat intelligent DDoS mitigation systems, or IDMSes), pseudo-random DNS label-prepending attacks (also known as DNS 'Water Torture' attacks), HTTP GET attacks, HTTP POST attacks, and HTTP HEAD attacks," read Arbor's report, authored by Roland Dobbins, principal engineer, and Steinthor Bjarnason, network security research engineer, both at Arbor's ASERT team.

"While none of the DDoS attack capabilities of Mirai observed to date are new or unique, it is a flexible DDoS attack-generation system and can launch high-volume, nontrivial DDoS attacks when wielded by a capable attacker. Mirai features segmented command-and-control, which allows the botnet to launch simultaneous DDoS attacks against multiple, unrelated targets."

In other news:

  • Microsoft warns users about Hicurdismos, "a fake Microsoft Security Essentials installer that can lead to a support call scam." The new threat masquerades as a Microsoft Security Essentials installer, which was Microsoft's antimalware product for Windows 7, XP and Vista; Hicurdismos launches the support call scam by displaying a fake blue screen of death (BSoD), prompting users with a phone number to call for technical support. "Calling the indicated support number will not fix the BSoD, but may lead to users being encouraged to download more malware under the guise of support tools or software that is supposed to fix a problem that doesn't exist," Microsoft wrote. "Interestingly, the fake BSoD screen used by Hicurdismos mimics an error message used in Windows 8 and Windows 10, so users of these new Windows versions could also be at risk of being tricked by Hicurdismos."
  • Open source content management system (CMS) project Joomla! released patches for two critical vulnerabilities this week, as well as fixing the way the project's two-factor authentication system uses encryption. Joomla! patched an account-creation flaw, assigned to CVE-2016-8870, which allows creation of new accounts even when site registration has been disabled; the other bug, assigned to CVE-2016-8869, allows users to register on a site with elevated privileges. Affected are Joomla! CMS versions 3.4.4 through 3.6.3. The project warned last week that the patches were on the way and the vulnerabilities were serious. Joomla! is the second most popular CMS, after WordPress, making it a favorite target for hackers.
  • Office 2013 now sports the same protection against macro-malware -- the ability to block users from running macros in Office documents that came from the internet -- that Microsoft granted to enterprise admins running Office 2016 back in March. Microsoft stated in its announcement "the predominant customer request we received was for this feature to be added to Office 2013."
  • All 133 of U.S. Cyber Command Mission Force teams, comprising approximately 5,000 team members, have achieved initial operating capability as of Oct. 21, according to Cybercom officials. Cyber Command Chief Michael Rogers said in a press release, "One of the reasons [Department of Defense] has done exceptionally well to rapidly train and build this force is that each branch of the military services has come to the conclusion that cyber is a mission set that requires dedicated expertise over time." The next important milestone for Cyber Command is set for Sept. 30, 2018, when all teams will be at full operational capability. Rogers had previously detailed the challenges facing the new Cyber Command at RSA 2016 earlier this year, when he said the Cyber Command will be a "high-end cyber mission force" of 6,200 people "who will be applied across the breadth of the cyber missions."

Next Steps

Find out more about how to respond when your DNS provider is hit by a DDoS attack.

Learn about how enterprises can mitigate DDoS attacks.

Read about research being done into DDoS DNS amplification attacks.

Dig Deeper on DDoS attack detection and prevention