adimas - Fotolia

Dyn reveals details of complex and sophisticated IoT botnet attack

DNS services provider Dyn, which was the victim of a large-scale DDoS attack perpetrated by an IoT botnet earlier in October, discusses details of its experience

Domain name system (DNS) services supplier Dyn has revealed details of the Friday 21 October 2016 distributed denial of service (DDoS) attack on its network, which rendered a number of web services unuseable.

The two-phase attack began at approximately 11:10 UK time, and lasted until around 17:00. It affected downstream services including Airbnb, Amazon Web Services,, Box, FreshBooks, GitHub, GoodData, Heroku, Netflix, The New York Times, PayPal, Reddit, Shopify, Spotify, Twitter, Vox and Zendesk.

As previously reported, the attack was perpetrated by a malicious internet of things (IoT) botnet utilising the Mirai malware code, which was released into the wild on an underground forum at the start of October 2016, immediately prompting fears of more widespread attacks using insecure IoT devices.

Dyn said the attack on its network was highly complex and sophisticated, using maliciously targeted, masked transmission control protocol (TCP) and user datagram protocol (UDP) traffic over port 53. It also generated compounding recursive DNS retry traffic, meaning its impact was even more pronounced.

Writing on the company’s website, Dyn’s executive vice-president of product, Scott Hilton, said the firm’s teams became aware at first of elevated bandwidth against its platform in Asia-Pacific, South America, Eastern Europe and the Western US that presented in a way associated with a DDoS attack.

Having initiated its response protocols, Dyn found the attack vector suddenly changed, honing in on its points of presence (PoPs) in the Eastern US.

In response to this, its teams deployed traffic-shaping and rebalancing technology, applied internal filtering and deployed scrubbing services to mitigate the attack. This was, by and large, successful, with the initial phase subsiding at 13:20.

The second attack began at around 15:50, and was more globally diverse, although as it deployed the same protocols it was more easily dealt with, and this attack had subsided by 17:00. A number of smaller probing TCP attacks have since taken place, however Dyn said it was able to prevent any further customer impact from these.

Read more about DDoS attacks

Hilton said Dyn saw between 10 and 20 times normal traffic volume during the attack, including legitimate retry traffic from servers trying to refresh their caches, from millions of IP addresses worldwide, with packet flow bursts 40 to 50 times higher than normal.

“It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analysing the data, but the estimate at the time of this report is up to 100,000 malicious endpoints,” he said.

“There have been some reports of a magnitude in the 1.2Tbps range; at this time we are unable to verify that claim,” Hilton added.

The firm is continuing to analyse the attack, given its unusual complexity and severity, and is extending and scaling its preventative measures for future use.

“This attack has opened up an important conversation about internet security and volatility. Not only has it highlighted vulnerabilities in the security of IoT devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet,” said Hilton. 

“As we have in the past, we look forward to contributing to that dialogue,” he added.

Responsibility disputed

An independent investigation of the attack by Flashpoint, a supplier of threat intelligence services, suggested that, despite some early reports, the perpetrators behind the attack were most likely unorganised and not working for financial gain.

It disputed various claims on underground forums that the Russian government, WikiLeaks and a group known as New World Hackers may have been responsible as dubious and probably false.

According to Flashpoint director of security research, Allison Nixon, the infrastructure behind the attack also targeted a well-known video game company, which she said was less indicative of hacktivists or state actors, and more likely associated with script kiddies who frequent online hacking forums.

“They can be motivated by financial gain, but just as often will execute attacks such as these to show off, or to cause disruption and chaos for sport,” said Nixon. “Flashpoint assesses with moderate confidence that the most recent Mirai attacks are likely connected to the English-language hacking forum community.”

Nixon added that the attack was probably not financially motivated, as such attacks tend to target enterprises, online gambling sites or Bitcoin exchanges.

“There have been no publicly available indicators of extortion – attempted or not – against Dyn DNS or any of the sites affected by the attack,” she said.

Read more on Hackers and cybercrime prevention