Mirai-Fueled IoT Botnet Behind DDoS Attacks on DNS Providers

Ten percent of the 550,000 IoT nodes in the Mirai botnet are involved in ongoing DDoS attacks against DNS provider Dyn and others.

A botnet of connected things strung together by the Mirai malware is responsible for Friday’s distributed denial-of-service attacks against DNS provider Dyn. The DDoS attacks impacted Internet service on the East Coast of the United States, and were responsible for keeping Dyn and a number of its high-profile customers offline during different times during the day.

Level 3 Communications, a large service provider located in Colorado, said that it was monitoring the attacks and that it believed 10 percent of the IP-enabled cameras, DVRs, home networking gear and other connected devices compromised by Mirai were involved in Friday’s attacks.

Mirai’s purpose is to continuously scan the public Internet for IoT devices and tries to access them using known default or weak credentials before exploiting and forcing devices to join botnets used in DDoS attacks. The danger posed by Mirai was exacerbated when the hacker allegedly responsible for a 620 Gbps DDoS attack against Krebs on Security and French webhost OVH released the source code for the malware to the public.

Level 3 and security company Flashpoint confirmed on Friday that Mirai was behind Friday’s attacks, which were still ongoing as of last night. Flashpoint said it is working with law enforcement and other resources to track the source of the attacks.

Dyn, a New Hampshire-based DNS provider, said the attacks began shortly after 7 a.m. Eastern time and the first wave ended at 9:36 a.m., before ramping up again at 11:52 a.m. when a second attack targeted its managed DNS platform.

“This attack was distributed in a more global fashion,” Dyn said in a status update Friday afternoon.

The New York Times said Friday that the FBI and the Department of Homeland Security were investigating the attacks and were not ruling out either criminals or nation-state actors as responsible parties.

Dale Drew, CISO of Level 3 Communications, said this afternoon on Periscope that the Mirai botnet was at about 550,000 nodes, and that approximately 10 percent were involved in the attack on Dyn (Level 3’s outage map is below). Earlier this week, Level 3 identified much of the command and control infrastructure used to communicate with bots, and said the number of bots had more than doubled since the source code as released.

“We are seeing others involved as well,” Drew said. “Mirai is a DDoS-for-rent environment. People buying time on that botnet could be buying time on other botnets as well. They are hitting a number of other DNS sites as well.” Drew did not identify those sites.


DNS providers translate domain names into IP addresses. In Friday’s attacks, someone used compromised connected devices to make an overwhelming number of queries of Dyn and other providers, so much so that they’re unable to keep up and answer legitimate queries.

On Friday, prominent services such as Twitter, Github, Spotify, Reddit, SoundCloud and others were inaccessible for periods of time.

“When the directory service is down, DNS cannot provide and IP address and you cannot get to the host,” Drew said. “It looks like the host is down when, in fact, is the directory service that is down.”

Earlier this week, Level 3 said that a number of attackers were taking advantage of the publicly available source code to hack into IoT devices; it said, for example, that 24 percent of the bots in the Mirai botnet overlapped with another IoT botnet uncovered this summer called Bashlite.

The major source of bots used in the Krebs and OVH attacks are connected DVRs manufactured by XiongMai Technologies of China. The DVRs used in the attack share the same username-password combination root:xc3511 making it child’s play for the attackers to telnet into the devices and recruit them into botnets, Flashpoint said.

“Unlike your PC or your phone, IoT devices don’t have the memory and processing to be secured properly, so they are easily compromised by adversaries and it’s very difficult to detect when that happens,” said Core Security’s Chris Sullivan. “This is what’s driving the new ultra-high volume DDoS attacks like we saw today. Ultra-large IoT botnets are instructed to make so many superfluous requests of the target that legitimate requests cannot get through. No real damage is done but service is denied for legitimate users.”

Suggested articles


  • Dave Lessnau on

    We know these compromised things are out there. We know they either can't or won't be fixed. We know that the owners don't even know they've been compromised. Nothing can be done? No government can force a recall? No Supreme Internet Body can disconnect them? No White Hat hacker can go out, use the same techniques to find them that the bad guys use and format their hard drives? Of course, the last two would lead to very bad situations. But, this is why we can't have good things any more. What happens when the autonomous, self-driving cars the auto makers are making get targeted and taken over? Will they be turned into mobile attack bots (both physically and computationally)? Will nothing be done then? So, because this is a commons, no one can do anything?
  • tony on

    why don't we use the same code to change the pw to something random and long. if they want back in the can always reset it but usually they don't need this account.
  • tony on

    Why not turn the code on itself and start using it to change passwords words to something random and long. I can't think of any legal standing a end user would have to fight this and they could almost always do a factory reset.
    • Dr. Hilliard Haliard on

      That might seem like a good idea at first, but you quickly come to realize its shaky basis and unintended consequences. I believe Bruce Schneier and a number of other security luminaries have explained this at length in the past.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.