‘Sophisticated’ DNS Attack Used IoT Gadgets To Target Dyn

The distributed denial-of-service (DDoS) attack on Friday that disabled access to some of the Internet’s biggest websites was highly sophisticated and involved tens of millions of IP addresses across different vectors, according to Dyn, the domain name service (DNS) hosting company that was targeted.

The incident, which affected sites including Amazon, Twitter, GitHub, Spotify and Reddit, was in fact made up of three separate attacks, Dyn said over the weekend.

IoT botnet

The first attack began at 7 a.m. ET, or noon BST, and took out service in the east coast region for about two hours, Dyn said.

“While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different,” said Dyn chief strategy officer Kyle York in a blog post. “It was a sophisticated attack across multiple attack vectors and Internet locations.”

One source of the malicious traffic was a network of devices such as webcams and set-top video recorders controlled by Mirai, a botnet command tool whose source code was recently released to the public, according to York.

“We observed tens of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack,” he wrote, saying the findings were confirmed by analysis from security firm Flashpoint and hosting provider Akamai.

The attack didn’t affect areas outside the east coast of the US, meaning users on the west coast, for instance, were able to access Dyn customers normally.

Growing scale

A second wave of attack traffic appeared just before noon ET, and while it wasn’t limited to the east-coast area it was mitigated more quickly, in just over an hour. This attack resulted in extended latency delays for users, York said.

He confirmed that a third attack was carried out, but was fended off without affecting customers.

IT security experts said the scale of such attacks has grown appreciably in recent months, in part due to new botnets such as Mirai that control of millions of unprotected Internet-connected devices.

The changes mean the companies charged with mitigating such bursts of traffic must take new measures to be able to handle upcoming attacks, experts said.

“With the significant increase in attack sizes over the past 18 months, which now often surpassing bursts of half a terabit per second, many infrastructure and SaaS providers are looking to beef up their overall capacity and DDoS mitigation measures,” stated Marc Gaffan, vice president at IT security firm Imperva for its Incapsula products.

Incapsula was one of the first to detect large-scale attacks launched from networks of connected gadgets, last year reporting on a malicious network made up of webcams.

Over the weekend Chinese electronics firm Hangzhou Xiongmai issued a recall in the US for the webcams identified as playing a role in the attack on Dyn, but research firm IDC anticipates there will be more than 28 billion IoT devices installed over the next four years.

Are you a security pro? Try our quiz!