DNS firm Dyn has released more details of the massive DDoS attack that caused outages at major internet firms last Friday, claiming it was powered by just 100,000 malicious endpoints.
There has been much speculation about the size of the attack, which took out many Dyn customers including Twitter, Reddit and Spotify.
Dyn said earlier this week it came from “tens of millions” of IP addresses, but the new estimate will be a relief to many industry watchers.
The firm confirmed the majority of those endpoints were IoT based and infected with the Mirai malware made open source at the end of last month. They flooded Dyn with TCP and UDP traffic over port 53, explained product EVP Scott Hilton.
He also confirmed how a relatively small botnet had caused so much damage:
“During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic. For example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses. When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies. It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be.”
It remains to be seen exactly how large the attack was, although Hilton claimed TCP “packet flow bursts 40 to 50 times higher than normal,” but this doesn’t take into account the traffic blocked by Dyn and upstream providers.
Initial reports put it at 1.2Tbps, which would make it roughly double the massive DDoS attack that took down the Krebs on Security site recently.
"Effective DDoS mitigation is synonymous with accurate traffic filtering. For that reason, DNS amplification attacks are actually easier to deflate as all uninitiated DNS responses are highly suspect and could be filtered on-edge, without any impact on the regular traffic flow. For example, one could categorically drop all unexpected DNS responses to port 53,” explained Imperva product manager, Ofer Gayer.
“However, this isn’t the case for seemingly legitimate DNS flood queries, which cannot be dismissed before they are individually processed at the server level. With on-edge filtering bypassed, and the path to the server CPU cores laid wide open, DNS floods have the potential to bring down even the most resilient of networks."