Attacks/Breaches

10/26/2016
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

DDos On Dyn Used Malicious TCP, UDP Traffic

Dyn confirms Mirai IoT botnet was 'primary source' of the attack, with some 100,000 infected devices sending the bogus traffic.

Domain Name Service (DNS) provider Dyn today provided new details about the massive distributed denial-of-service (DDoS) attack on Oct. 21 it suffered that disrupted major websites including Okta, CNN, Pinterest, Reddit, and Twitter, and confirmed that the infamous Mirai botnet was the main culprit.

Scott Hilton, executive vice president of product for Dyn, in a blog post said the attackers employed masked TCP and UDP traffic via Port 53 in the attack as well as recursive DNS retry traffic, "further exacerbating its impact," he said.

Dyn also confirmed that the widely suspected Mirai botnet was a "primary source" of the DDoS attacks, which came in multiple waves and affected various websites for nearly nine hours on Friday.

"TCP is interesting ... prior threats and big DDoSes tended to be UDP-amplification attacks that require spoofing," says John Bambenek, threat systems manager at Fidelis Cybersecurity. "There's so much crap out there with default passwords."

Default credentials indeed are one of the main culprits that allowed the attackers to use an army of online cameras, DVRs, and other equipment in the attacks, according to security experts.

But the big question of who was behind the crippling attack on the DNS provider remains under investigation. "Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers," Dyn's Hilton said in the post.

The DDoS attacks came in traffic bursts that were 40- to 50 times normal flows, he said. "This magnitude does not take into account a significant portion of traffic that never reached Dyn due to our own mitigation efforts as well as the mitigation of upstream providers," Hilton said.

The attackers also waged some smaller "probing" TCP attacks in the hours and days after the big attack, but Dyn was able to mitigate them.

He noted that the DNS traffic sent in the DDoS attacks also generated legitimate DDoS retry traffic, making the attack more complicated to parse, and the attack generated ten- to 20 times the normal DNS traffic levels thanks to malicious and legit retries.

"During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic," he said in the post. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies."

Most of the attack came from Mirai-based botnets, using an estimated 100,000 infected devices.

Related Content:

 

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
10/27/2016 | 10:37:07 AM
Responsibility of Default Passwords
As denoted in the article, persistent default passwords on IoT devices are a major issue in terms of bot farming. The question from my perspective is; based off the data that there are many default passwords that go unchanged, would efforts be better focused on the vendor providing a different password for each device than relying on the end user for changing it? Regardless if that password remains unchanged it will still be vulnerable but the level of difficulty will increase because then the vendor can set the password complexity parameters and password guessing difficulty would increase as well.
Hacked IV Pumps and Digital Smart Pens Can Lead to Data Breaches
Dawn Kawamoto, Associate Editor, Dark Reading,  12/4/2017
Tips for Writing Better Infosec Job Descriptions
Kelly Sheridan, Associate Editor, Dark Reading,  12/4/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.