Dyn DDoS attack came from 100,000 infected devices

DNS service provider Dyn says Mirai-powered botnets were the primary source for Friday's disruption

Friday's massive internet disruption came from hackers using an estimated 100,000 devices, many of which have been infected with a notorious malware that can take over cameras and DVRs, said DNS provider Dyn.

"We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets," Dyn said in a Wednesday blog post.

The malware known as Mirai had already been blamed for causing at least part of Friday's distributed denial-of-service attack, which targeted Dyn and slowed access to many popular sites in the U.S.

But on Wednesday, Dyn provided new findings, saying Mirai-infected devices were actually the primary source for Friday's internet disruption.

The statement also suggests that the hackers behind the attack may have been holding back. Companies have observed variants of the Mirai malware spreading to more than 500,000 devices built with weak default passwords, making them easy to infect.

Given that Friday's disruption involved only 100,000 devices, it's possible the hackers could have launched an even more powerful DDoS attack, said Ofer Gayer, a security researcher with Imperva, a DDoS mitigation provider.

"Maybe this was just a warning shot," he said. "Maybe [the hackers] knew it was enough and didn't need their full arsenal."

Hackers have typically used DDoS attacks to flood individual websites with an overwhelming amount of traffic, forcing them offline. Often times, the goal is extortion, Gayer said. But last Friday's attack stood out for targeting Dyn, a vital internet infrastructure provider, and slowing access to more than a dozen sites.

"Somebody actually pulled the trigger," Gayer said. "They built the largest botnet they could to take down the biggest targets."

In addition to Friday's incident, Imperva has noticed Mirai-powered botnets attacking its own website and those belonging to its clients. One attack in August was fairly large at 280 Gbps of traffic.

"Most companies will crumble at 10 Gbps. The biggest companies will crumble at 100 Gbps," Gayer said.

Imperva has also observed that many of the infected-Mirai devices were sourced to IP addresses in 164 countries, with a large number based in Vietnam, Brazil, and the U.S. Most of these devices are also CCTV cameras.

Although DDoS attacks are nothing new, Mirai-infected devices are able to launch exceptionally large assaults due to their sheer numbers and their access to high internet bandwidth connectivity. Last month, for instance, a Mirai botnet attacked a website owned by cybersecurity journalist Brian Krebs with 665 Gbps of traffic, temporarily taking it down.

It's still unclear who launched Friday's attack, but some security experts suspect that amateur hackers were involved. Late last month, the unknown developer of Mirai released its source code to the hacking community, meaning anyone with some hacking ability can use it.

Although Mirai has been blamed for much of last week's internet disruption, other botnets were also involved, according to internet backbone provider Level 3 Communications.

"We’ve seen at least one, maybe two behaviors that aren’t consistent with Mirai," Level 3 CSO Dale Drew said in an email.

It's possible the hackers behind Friday's attack used multiple botnets in order to avoid detection, the company added.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?