DDoS attack that took down Dyn DNS service blamed on Mirai IoT botnet

Attack that took major websites offline blamed on insecure connected devices

A distributed denial of service (DDoS) attack that took down the DNS services of web infrastructure company Dyn has been blamed on the Mirai botnet, which exploits security weaknesses in Internet of Things (IoT) devices.

The Mirai source code was released earlier this month. Internet companies were immediately put on alert that it could be used to cause havoc for their sites by allowing anyone with a grudge to use the tool to try and take sites offline.

They didn't have to wait long. It appears hackers have used the tool to hack insecure IoT devices and use them to try and deluge Dyn's systems, causing problems throughout Friday and the weekend for those trying to access websites, with Reddit, Spotify and Tumblr also affected.

Dyn's Chief Strategy Officer Kyle York posted a blog on the attack, explaining that it had seen tens of million of IP addresses involved in the attack.

"We know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion," it said.

"The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations."

He added that, thanks to analysis by security firms, it was clear the Mirai botnet was at the heart of the incident.

"We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack."

Flashpoint gave some more insight on its assessment of the incident, explaining that Mirai would have compromised devices including routers, digital video records (DVRs), and webcams/security cameras to carry out the attack.

"Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks," it added.

The DDoS attack began on Friday, with Dyn confirming at the time that its East Coast region was severly affected, meaning some major sites were not available.

"This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our engineers are continuing to work on mitigating this issue," the firm said.

Noted security researcher Brian Krebs was himself a recent a victim of a major DDoS attack, seemingly for helping to uncover two men alleged to run a popular DDoS-for-hire bot.

He warned afterwards that the rise of insecure IoT devices could lead to major problems by making it easier for cyber crooks and anyone with a grudge to take sites offline using Mirai.

He again repeated this warning and said IoT device makers must put security at the heart of their operations.

"These insecure IoT devices are going to stick around like a bad rash — unless and until there is a major, global effort to recall and remove vulnerable systems from the Internet," he said.

"In my humble opinion, this global cleanup effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market."

Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.