Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/26/2016
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

DDoS On Dyn Used Malicious TCP, UDP Traffic

Dyn confirms Mirai IoT botnet was 'primary source' of the attack, with some 100,000 infected devices sending the bogus traffic.

Domain Name Service (DNS) provider Dyn today provided new details about the massive distributed denial-of-service (DDoS) attack on Oct. 21 it suffered that disrupted major websites including Okta, CNN, Pinterest, Reddit, and Twitter, and confirmed that the infamous Mirai botnet was the main culprit.

Scott Hilton, executive vice president of product for Dyn, in a blog post said the attackers employed masked TCP and UDP traffic via Port 53 in the attack as well as recursive DNS retry traffic, "further exacerbating its impact," he said.

Dyn also confirmed that the widely suspected Mirai botnet was a "primary source" of the DDoS attacks, which came in multiple waves and affected various websites for nearly nine hours on Friday.

"TCP is interesting ... prior threats and big DDoSes tended to be UDP-amplification attacks that require spoofing," says John Bambenek, threat systems manager at Fidelis Cybersecurity. "There's so much crap out there with default passwords."

Default credentials indeed are one of the main culprits that allowed the attackers to use an army of online cameras, DVRs, and other equipment in the attacks, according to security experts.

But the big question of who was behind the crippling attack on the DNS provider remains under investigation. "Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers," Dyn's Hilton said in the post.

The DDoS attacks came in traffic bursts that were 40- to 50 times normal flows, he said. "This magnitude does not take into account a significant portion of traffic that never reached Dyn due to our own mitigation efforts as well as the mitigation of upstream providers," Hilton said.

The attackers also waged some smaller "probing" TCP attacks in the hours and days after the big attack, but Dyn was able to mitigate them.

He noted that the DNS traffic sent in the DDoS attacks also generated legitimate DDoS retry traffic, making the attack more complicated to parse, and the attack generated ten- to 20 times the normal DNS traffic levels thanks to malicious and legit retries.

"During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic," he said in the post. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies."

Most of the attack came from Mirai-based botnets, using an estimated 100,000 infected devices.

Related Content:

 

Black Hat Europe 2016 is coming to London's Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
10/27/2016 | 10:37:07 AM
Responsibility of Default Passwords
As denoted in the article, persistent default passwords on IoT devices are a major issue in terms of bot farming. The question from my perspective is; based off the data that there are many default passwords that go unchanged, would efforts be better focused on the vendor providing a different password for each device than relying on the end user for changing it? Regardless if that password remains unchanged it will still be vulnerable but the level of difficulty will increase because then the vendor can set the password complexity parameters and password guessing difficulty would increase as well.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5991
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
CVE-2020-15273
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
CVE-2020-15276
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
CVE-2020-15277
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.
CVE-2020-7373
PUBLISHED: 2020-10-30
vBulletin 5.5.4 through 5.6.2 allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. NOTE: this issue exists because of an incomplete fix for CVE-2019-16759. ALSO NOTE: CVE-2020-7373 is a duplicate of CVE-2020-17496. CVE-2020-17496 is ...