Dyn DDoS attack: The aftermath

Get a copy of the upcoming book "Secure Operations Technology"

On October 21, New Hampshire-based Internet performance management company Dyn suffered the largest DDoS attack ever to be registered.

Dyn DDoS attack

The attacks – there were three, in relatively quick succession, but the last one was easily mitigated – were aimed at the company’s managed DNS infrastructure. They resulted in the temporary inaccessibility of many websites and online services such as Twitter, GitHub, PayPal, Etsy, and so on.

What Dyn says about the attacks

“At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion,” Dyn’s Chief Strategy Officer Kyle York shared on Saturday.

“The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

Deadly Mirai

According to Flashpoint, the Mirai botnets that were used in the attack against Dyn “were separate and distinct botnets” from those used to execute the DDoS attacks against Brian Krebs’ blog, and French Internet service and hosting provider OVH.

“Earlier this month, ‘Anna_Senpai,’ the hacker operating the large Mirai botnet used in the Krebs DDoS, released Mirai’s source code online. Since this release, copycat hackers have used the malware to create botnets of their own in order to launch DDoS attacks,” they noted.

Mirai is easily flushed from infected devices – mostly routers, DVR or WebIP cameras, Linux servers, and Internet of Things devices running Busybox – by rebooting them, but if their owners don’t take measures to protect them, they’ll end up infected again in a matter of minutes.

Unfortunately, some of these devices can’t be protected as they should be because of hardcoded passwords, and the fact that their manufacturers did not make it possible for them to receive updates.

At the moment, the solution to this particular problem is still unclear, although some proposals have been bandied about, including the option of “hacking back” to gain control of compromised devices. As the number of compromised IoT devices rises, you can be sure that this option will be seriously considered.

Who’s behind the attacks?

It’ currently impossible to tell for sure, and we could end up never knowing.

WikiLeaks implied that its supporters are behind it, as a retaliation for Julian Assange losing Internet access by the hands of the Ecuadorian government.

Assange has been holed up for years at the country’s embassy in London. WikiLeaks has been publishing emails stolen form Hilary Clinton’s campaign Chairman John Podesta, and Ecuador cut Assange’s Internet access so that WikiLeaks could not interfere in US elections by continuing with the email leaks.

A hacker group that calls itself New World Hackers also claimed that they are behind the attacks. They told the AP that the attacks were only a test of power, and a way to explose security vulnerabilities and force changes that would eliminate them.

Some believe that the Russians are behind it all, and an American vigilante hacker that goes by the handle “The Jester” has retaliated by defacing the website of the Russian Ministry of Foreign Affairs.

Security expert Bruce Schneier still believes the likeliest culprit is the “someone” who’s been mounting probing attacks against the Internet infrastructure.

What now?

These attacks have shown how fragile the Internet is and the danger of IoT-based botnets.

Until a definite solution for disrupting these and future ones is found, site owners should come with backup plans to keep their sites online and accessible, cloud providers should work on ways to deflect larger DDoS attacks, manufacturers should start caring about implementing security, and end users should start caring about the security of the Internet-connected devices they use.

In the meantime, the latter can also check whether there are any devices on their home network that are potentially accessible to hackers.

Joshua Kopstein offered helpful advice on what to do if they find any, but also pointed out that the only thing that can assure that their IoT devices won’t be co-opted into botnets is keeping them offline.