Scott Hilton, EVP of Product for Dyn, issued a statement today disclosing that a botnet of around 100,000 bots, all IoT devices infected with the Mirai malware, had been the predominant force behind the DDoS attacks on his company.
The company already issued a statement on the incident on Saturday, October 22, but only confirmed that a botnet of Mirai malware-infected devices had participated in the attacks.
Yesterday, in a second statement, Dyn revealed that after an initial analysis of the DDoS traffic, the company had identified around 100,000 sources of malicious junk traffic, all originating from devices compromised and controlled via the Mirai malware.
Hilton also entered in the attack’s technical details, saying the attackers launched a DDoS attack using DNS TCP and UDP packages, which despite being unsophisticated, managed to initially overwhelm Dyn’s protection and cause havoc in its internal systems.
Because the attack targeted its managed DNS service, the company had a hard time distinguishing from legitimate DNS queries and junk DNS data that came in via the DNS flood.
This explanation clears the air around the “tens of millions of IP addresses” remark, which Dyn made on Saturday, which many security researchers disputed.
According to Dyn, this is also the reason why its managed DNS service failed so miserably, bringing down with it a large part of the Internet, and many websites that used Dyn to manage their DNS servers, such as Reddit, Imgur, Twitter, GitHub, Soundcloud, Spotify, PayPal, and more.
“[T]he impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses,” Hilton explained. “When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume.”
“It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be,” Hilton also added.