Following news accounts of the Distributed Denial of Service (DDoS) attack Dyn sustained against managed DNS infrastructure this past Friday, October 21, the cloud-based Internet Performance Management (IPM) vendor is carefully monitoring for any additional attacks.
“Please note that our investigation regarding root cause continues and will be the topic of future updates,” it said in a press note Friday. “It is worth noting that we are unlikely to share all details of the attack and our mitigation efforts to preserve future defenses.”
The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations.
“We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet,” Dyn said. “We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”
Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it became clear that this attack was different.
Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. Unfortunately, during that time, internet users directed to Dyn servers on the East Coast of the US were unable to reach some customers’ sites, including some of the marquee brands of the internet.
“We should note that Dyn did not experience a system-wide outage at any time – for example, users accessing these sites on the West Coast would have been successful,” the post added.
After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to East Coast POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET. Again, at no time was there a network-wide outage, though some customers would have seen extended latency delays during that time.
News reports of a third attack wave were verified by Dyn based on available information. While there was a third attack attempted, Dyn was able to mitigate it without customer impact.
Dyn’s operations and security teams initiated mitigation and customer communications process through its incident management system. The cloud vendor acknowledges the efforts of its operations and support teams in doing battle with what’s likely to be seen as an historic attack. Acknowledging the tremendous support of Dyn’s customers, many of whom reached out to support its mitigation efforts even as they were impacted. Service to users has been top priority, and appreciate their understanding as that commitment means Dyn is often the first responder of the internet.
“At the time of this writing, we are carefully monitoring for any additional attacks,” the note said. “Please note that our investigation regarding root cause continues and will be the topic of future updates. It is worth noting that we are unlikely to share all details of the attack and our mitigation efforts to preserve future defenses,” it added.
The all day disruption of DNS services first in the Eastern USA and later impacting customers of Dyn, a DNS provider, globally might be the beginning of a new era of internet attacks conducted via “smart” things, warned security analysts at Sophos Security. “Clearly they aren’t as smart as we think, if they can be so easily commandeered by random deviants on the internet to impact major services like Twitter, Reddit and Spotify.”
“The botnet allegedly used to conduct this attack is comprised of approximately 500,000 compromised smart cameras, those ubiquitous ones you see in every lobby, office and shopping mall,” said Chester Wisniewski, principal research scientist, Sophos. “Today’s attack only used approximately 10 percent of these bots, demonstrating the incredible power wielded by just one type of device. There are 10s of millions more insecure “smart” things that could cause incredible disruptions, if harnessed.
Sophos recommends that owners of smart TVs, lights, thermostats, routers and other internet connected devices keep the software on their devices up to date and immediately change the default passwords to something unique. “In the modern world, consider it being a good neighbor to look after your things to be sure they are not harming yourself or others,” the firm added.