Investigators pin Dyn DDoS attack on Mirai

Oct 23, 2016 21:10 GMT  ·  By

Kyle York, Chief Strategy Officer for Dyn, says the Mirai botnet is the main culprit behind the massive DDoS attack that hit his company and caused many popular websites to become inaccessible on Friday and Saturday, October 21 and 22.

York said that his company worked with Akamai and Flashpoint to analyze the source of the junk traffic that targeted its managed DNS services, which provide on-demand DNS servers for popular websites such as Reddit, Imgur, Twitter, GitHub, Spotify, Soundcloud, PayPal, Yelp, and others.

Because of this DDoS attack, Dyn's DNS servers weren't able to resolve DNS queries for the aforementioned services, and users couldn't access those websites, because their browsers and apps couldn't resolve the "domain.com" text into an IP address where they needed to connect.

Tens of millions of Mirai infected devices participated in the attack

York didn't reveal the size of the attack, but said that tens of millions of IPs blasted Dyn servers with junk traffic, most of which came from devices that appeared to be infected with the Mirai malware.

"The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations," York says. "We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack."

Some dispute these claims and say that Dyn just counted randomly spoofed IP addresses, which may be in fact true since very few botnets have ever reached over 10 million bots, let alone tens of millions (see tweets at the end of the article).

Besides Mirai, other botnets also seem to have been involved, according to people with knowledge of the attacks.

Akamai and Flashpoint confirm Mirai's involvement

Mirai, which appeared at the start of September, is a malware family that targets Linux-based Internet of Things (IoT) devices, such as DVRs, CCTV systems, and IP cameras.

The original Mirai botnet is responsible for the two biggest DDoS attacks known to date, of 1.1 Tbps against French ISP OVH, and of 620 Gbps against KrebsOnSecurity.

Following those attacks, to avoid scrutiny from security researchers and law enforcement authorities, Anna_senpai, Mirai's author, leaked the malware's source code, which resulted in numerous botnets popping up around the Internet. This has made tracking down the original author and the location of his botnet much harder.

Dyn's confirmation that a Mirai-based botnet was behind the attack came from Akamai, the company that provided DDoS protection for KrebsOnSecurity, and Flashpoint, the security firm that identified the KrebsOnSecurity DDoS as coming from Mirai in the first place.

"It is unknown if the attacks against Dyn DNS are linked to the DDoS attacks against Krebs, OVH, or other previous attacks," Flashpoint analysts say. "Given the proliferation of the Mirai malware, the relationship between the ongoing Dyn DDoS attacks, previous attacks, and 'Anna_Senpai' is unclear."

Regardless of who was behind the attack, Dyn's business seems to have taken a toll.