As more time passes, researchers are getting insight into the size and structure of the DDoS attack against DNS provider Dyn last week, and the capabilities of the Mirai botnet.

First, Dyn released a truncated post-mortem on the attack with admittedly some omissions as a law enforcement investigation continues. Executive Vice President of Products Scott Hilton published a report yesterday that explains how the first of two sizable attacks began at 7 a.m. against its Managed DNS platform in Asia, Europe and South America before concentrating on the U.S. East region. A large number of IP addresses honed in with UDP and TCP packets targeting port 53, Hilton said.

Dyn was able to mitigate that attack before a second ramped up four hours later; this one more of a global onslaught lasting three hours before it too was mitigated.

However, a side effect of both takedowns was that the DDoS attack triggered legitimate attempts by recursive servers to retry queries and refresh their caches. This, Hilton said, multiplied the already volumetric traffic by 10 to 20 times.

“When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies,” Hilton said. “It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be.”

The source remains the Mirai botnet of IoT devices, and Dyn estimates that up to 100,000 bots were involved in last Friday’s attack. TCP attack volume accounted for most of the attack traffic, 40 to 50 times normal volume, Dyn said, adding that figure does not account the traffic mitigated by Dyn’s anti-DDoS measures and upstream providers.

“There have been some reports of a magnitude in the 1.2 Tbps range,” Hilton said. “At this time, we are unable to verify that claim.”

Arbor Networks, meanwhile, looked inside the Mirai botnet and found varied capabilities at the disposal of those who are renting it. The platform is customizable, and can be dialed in to deliver UDP, SYN and ACK flooding attacks as well as DDoS attacks against the application layer (HTTP) and DNS Pseudo Random Label Prepending Attacks known as DNS Water Torture Attacks. The original Mirai botnet boasts between 500,000 and 550,000 nodes and can be segmented to attack multiple targets simultaneously.

“With a lot of booter and stresser services with these DDoS-for-hire botnets, many have the capability to vary the attack traffic a great deal, but that’s usually not available to ordinary users,” said Roland Dobbins, principal engineer at Arbor Networks. “You have to have special access to do that. With Mirai, all that power and all that configurability is available to users.

“It could be a differentiator that the Mirai folks are using,” Dobbins offered as an explanation as to why. ” ‘Hey, we have a botnet that has multiple attack nodes and a high degree of customizability available.’ It could be a selling point.”
While the cost to rent Mirai is unknown, the economics favor the attacker by a longshot, Dobbins said.

“It takes a small amount of money to launch attacks. It costs defensive organizations a significant amount of money in tangible and intangible costs to mitigate these attacks.”

Experts believe the Dyn DDoS attack is the work of script kiddies and rules out nation-state participation.

“DDoS is the great equalizer between threat actor groups and nation states,” Dobbins said. “Nation states are just another player when it comes to DDoS attacks.”

Categories: IoT