In light of the Distributed Denial of Service (DDoS) attack on its managed DNS infrastructure last Friday (21 October), which resulted in internet disruption to several well-known SaaS applications and internet sites including Amazon, Twitter, GitHub and The Boston Globe, Dyn has released a statement detailing the attack and it’s investigations into the matter thus far.
In a post on the firm’s website Kyle York, Dyn’s chief strategy officer, wrote:
“Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different. Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers.
"Unfortunately, during that time, internet users directed to Dyn servers on the East Coast of the US were unable to reach some of our customers’ sites, including some of the marquee brands of the internet. We should note that Dyn did not experience a system-wide outage at any time – for example, users accessing these sites on the West Coast would have been successful.”
After restoring service, York continued, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET. Again, at no time was there a network-wide outage, though some customers would have seen extended latency delays during that time.
“News reports of a third attack wave were verified by Dyn based on our information. While there was a third attack attempted, we were able to successfully mitigate it without customer impact.”
In terms of the anatomy of the attack, York said that at this point it appears it was a sophisticated, highly-distributed operation involving tens of millions of IP addresses.
“We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion. The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations.
“We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," he added.
As AlienVault's Javvad Malik explained, the Mirai botnet is malware designed to take control of the BusyBox systems that are commonly used in IoT devices.
"The Mirai botnet has given us the first real glimpse into the power of an IoT botnet and the damage that can be done," he wrote. "With no patching feasible for most devices, there is no easy fix in sight. IoT device manufacturers will need to consider architecting fundamental security principles into the designs, such as avoiding the use of default credentials.
"Until such a time that IoT devices have secure options, these devices will continue to feature prominently at the forefront of cybersecurity attacks."