Attacks/Breaches

10/26/2016
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DDoS On Dyn Used Malicious TCP, UDP Traffic

Dyn confirms Mirai IoT botnet was 'primary source' of the attack, with some 100,000 infected devices sending the bogus traffic.

Domain Name Service (DNS) provider Dyn today provided new details about the massive distributed denial-of-service (DDoS) attack on Oct. 21 it suffered that disrupted major websites including Okta, CNN, Pinterest, Reddit, and Twitter, and confirmed that the infamous Mirai botnet was the main culprit.

Scott Hilton, executive vice president of product for Dyn, in a blog post said the attackers employed masked TCP and UDP traffic via Port 53 in the attack as well as recursive DNS retry traffic, "further exacerbating its impact," he said.

Dyn also confirmed that the widely suspected Mirai botnet was a "primary source" of the DDoS attacks, which came in multiple waves and affected various websites for nearly nine hours on Friday.

"TCP is interesting ... prior threats and big DDoSes tended to be UDP-amplification attacks that require spoofing," says John Bambenek, threat systems manager at Fidelis Cybersecurity. "There's so much crap out there with default passwords."

Default credentials indeed are one of the main culprits that allowed the attackers to use an army of online cameras, DVRs, and other equipment in the attacks, according to security experts.

But the big question of who was behind the crippling attack on the DNS provider remains under investigation. "Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers," Dyn's Hilton said in the post.

The DDoS attacks came in traffic bursts that were 40- to 50 times normal flows, he said. "This magnitude does not take into account a significant portion of traffic that never reached Dyn due to our own mitigation efforts as well as the mitigation of upstream providers," Hilton said.

The attackers also waged some smaller "probing" TCP attacks in the hours and days after the big attack, but Dyn was able to mitigate them.

He noted that the DNS traffic sent in the DDoS attacks also generated legitimate DDoS retry traffic, making the attack more complicated to parse, and the attack generated ten- to 20 times the normal DNS traffic levels thanks to malicious and legit retries.

"During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic," he said in the post. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies."

Most of the attack came from Mirai-based botnets, using an estimated 100,000 infected devices.

Related Content:

 

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
10/27/2016 | 10:37:07 AM
Responsibility of Default Passwords
As denoted in the article, persistent default passwords on IoT devices are a major issue in terms of bot farming. The question from my perspective is; based off the data that there are many default passwords that go unchanged, would efforts be better focused on the vendor providing a different password for each device than relying on the end user for changing it? Regardless if that password remains unchanged it will still be vulnerable but the level of difficulty will increase because then the vendor can set the password complexity parameters and password guessing difficulty would increase as well.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11358
PUBLISHED: 2019-04-20
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
CVE-2019-11359
PUBLISHED: 2019-04-20
Cross-site scripting (XSS) vulnerability in display.php in I, Librarian 4.10 allows remote attackers to inject arbitrary web script or HTML via the project parameter.
CVE-2018-20817
PUBLISHED: 2019-04-19
SV_SteamAuthClient in various Activision Infinity Ward Call of Duty games before 2015-08-11 is missing a size check when reading authBlob data into a buffer, which allows one to execute code on the remote target machine when sending a steam authentication request. This affects Call of Duty: Modern W...
CVE-2019-11354
PUBLISHED: 2019-04-19
The client in Electronic Arts (EA) Origin 10.5.36 on Windows allows template injection in the title parameter of the Origin2 URI handler. This can be used to escape the underlying AngularJS sandbox and achieve remote code execution via an origin2://game/launch URL for QtApplication QDesktopServices ...
CVE-2019-11350
PUBLISHED: 2019-04-19
CloudBees Jenkins Operations Center 2.150.2.3, when an expired trial license exists, allows Cleartext Password Storage and Retrieval via the proxy configuration page.