Kyle York, Chief Strategy Officer for Dyn, says the Mirai botnet is the main culprit behind the massive DDoS attack that hit his company and caused many popular websites to become inaccessible on Friday and Saturday, October 21 and 22.
York said that his company worked with Akamai and Flashpoint to analyze the source of the junk traffic that targeted its managed DNS services, which provide on-demand DNS servers for popular websites such as Reddit, Imgur, Twitter, GitHub, Spotify, Soundcloud, PayPal, Yelp, and others.
Because of this DDoS attack, Dyn's DNS servers weren't able to resolve DNS queries for the aforementioned services, and users couldn't access those websites, because their browsers and apps couldn't resolve the "domain.com" text into an IP address where they needed to connect.
Tens of millions of Mirai infected devices participated in the attack
York didn't reveal the size of the attack, but said that tens of millions of IPs blasted Dyn servers with junk traffic, most of which came from devices that appeared to be infected with the Mirai malware.
"The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations," York says. "We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack."
Some dispute these claims and say that Dyn just counted randomly spoofed IP addresses, which may be in fact true since very few botnets have ever reached over 10 million bots, let alone tens of millions (see tweets at the end of the article).
Besides Mirai, other botnets also seem to have been involved, according to people with knowledge of the attacks.
Akamai and Flashpoint confirm Mirai's involvement
Mirai, which appeared at the start of September, is a malware family that targets Linux-based Internet of Things (IoT) devices, such as DVRs, CCTV systems, and IP cameras.
The original Mirai botnet is responsible for the two biggest DDoS attacks known to date, of 1.1 Tbps against French ISP OVH, and of 620 Gbps against KrebsOnSecurity.
Following those attacks, to avoid scrutiny from security researchers and law enforcement authorities, Anna_senpai, Mirai's author, leaked the malware's source code, which resulted in numerous botnets popping up around the Internet. This has made tracking down the original author and the location of his botnet much harder.
Dyn's confirmation that a Mirai-based botnet was behind the attack came from Akamai, the company that provided DDoS protection for KrebsOnSecurity, and Flashpoint, the security firm that identified the KrebsOnSecurity DDoS as coming from Mirai in the first place.
"It is unknown if the attacks against Dyn DNS are linked to the DDoS attacks against Krebs, OVH, or other previous attacks," Flashpoint analysts say. "Given the proliferation of the Mirai malware, the relationship between the ongoing Dyn DDoS attacks, previous attacks, and 'Anna_Senpai' is unclear."
Regardless of who was behind the attack, Dyn's business seems to have taken a toll.
Major sites have made DNS nameservers changes over last 24 hours either away from or diversifying from Dyn. Suggests it had big biz impact. — Kevin Beaumont (@GossiTheDog) October 22, 2016
If the Flashpoint stat about 10% of M botnets hitting Dyn is accurate, a *guestimate* would be about 100gbps of traffic. — Kevin Beaumont (@GossiTheDog) October 22, 2016
Dyn claimming 10s of millions of Mirai IPs hit them, I don't believe that for a second.https://t.co/4ArtZP1yyK — MalwareTech (@MalwareTechBlog) October 22, 2016
@MalwareTechBlog Most likely spoofed source address, there aren't anywhere near 10m infected Mirai devices, never mind 10s of millions. — MalwareTech (@MalwareTechBlog) October 22, 2016
One of the smaller Mirai botnets just launched attacks for 35 second against cloudflare, Akamai, and a random OVH server.from @2sec4u — MalwareTech (@MalwareTechBlog) October 22, 2016