A Mirai botnet attack has been singled out as the mechanism used by hackers in a massive distributed denial of service (DDoS) attack, which also highlights increasing IoT vulnerability. The attack temporarily took down some of the world’s largest Web sites on October 21, 2016.
Dyn EVP, Product Scott Hilton confirmed that a Mirai botnet was the primary source of malicious attack traffic in an Oct. 26 post on the company’s blog.
¨The Friday October 21, 2016 attack has been analyzed as a complex & sophisticated attack, using maliciously targeted, masked TCP and UDP traffic over port 53,¨ Hilton highlighted. The use of recursive loops in the Mirai botnet’s code prompted repeated requests to targeted websites and exacerbated the DDoS’ impacts.
A cloud-based Internet performance management company, Dyn’s managed DNS infrastructure was one of those targeted and attacked. The company is participating in a criminal investigation of the Oct. 21 DDoS and will not speculate as to the identity of the perpetrator or perpetrators or their motives, Hilton wrote.
Mirai Botnet Attack
Dyn management issued a statement shortly after the DDoS attack on its infrastructure and provided continual updates to the media regarding its impacts and the company’s efforts to minimize damages and thwart any recurrence.
Two massive DDoS attacks on its managed DNS infrastructure occurred on Friday, Oct. 21, the first from 11:10-13:20 UTC and the second from 15:50-17:00 UTC. Company engineering and operations teams were able to mitigate them, but not before significant impacts were felt by customers and end users, Hilton recounts.
High, anomalous bandwidth across its managed DNS platform in the Asia-Pacific, Eastern Europe, South America and U.S. West regions signaled a DDoS attack was under way. The attack vector abruptly changed and zeroed in on Dyn’s POPs in its U.S.-East region as Dyn initiated its incident response protocols.
Dyn staff responded by initiating additional counter measures. ¨These techniques included traffic-shaping incoming traffic, rebalancing of that traffic by manipulation of anycast policies, application of internal filtering and deployment of scrubbing services. Mitigation efforts were fully deployed by 13:20 UTC; the [initial] attack subsided shortly after,¨ Hilton elaborates.
Dyn was able to recover from the second attack and restore normal service by 17:00 UTC, though residual impacts were still being felt from additional sources until about 20:30.
Dyn then began an extensive analysis, which continued as it thwarted smaller, probing TCP attacks that occurred over ensuing hours and days.
Distinguishing legitimate from malicious traffic can be difficult during DDoS attacks that use the DNS protocol, Hilton points out. ¨We saw both attack and legitimate traffic coming from millions of IPs across all geographies. It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be.¨
The DNS DDoS attack raises critical questions regarding the security of Internet of Things devices that needs to be addressed, as well as the possible shape and form of the Internet in years to come, Hilton added.
This attack has opened up an important conversation about internet security and volatility. Not only has it highlighted vulnerabilities in the security of “Internet of Things” (IOT) devices that need to be addressed, but it has also sparked further dialogue in the Internet infrastructure community about the future of the internet.¨
Image courtesy of flickr user Blue Coat Photos.
