Dyn has stated that approximately 100,000 bots infected with Mirai malware helped launch a large distributed denial-of-service (DDoS) attack against its domain name system (DNS) infrastructure. Scott Hilton, EVP of product at the internet performance management company, said in a statement on 26 October that the distributed denial-of-service (DDoS) campaign used masked TCP and UDP traffic over port 53 to attack its managed DNS infrastructure on 21 October. Packet flow reached to as much as 50 times higher than its normal volume as a result of the attack. Some estimates place that peak at 1.2 Tbps, though Dyn can't confirm those reports at this time. Hilton can confirm one thing, though: the attack originated mostly from Mirai-infected devices:
"It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets."
Three separate attacks targeted Dyn on 21 October. The first started at approximately 07:00 EDT and disrupted service to a number of the company's customers, including Twitter, Spotify, and others. It took Dyn about two hours to mitigate the offensive and restore service to those affected affected by the attack. The next wave came at noon, but due to mitigations the company's teams had already put in place, Dyn's teams were able to mitigate the DDoS campaign in about an hour. Those same solutions helped prevent a third attack from interrupting service later on in the day. Hilton feels the three attacks point to the growing security risks associated with the Internet of Things (IoT), a threat which the internet infrastructure community can't ignore:
"This attack has opened up an important conversation about internet security and volatility. Not only has it highlighted vulnerabilities in the security of 'Internet of Things' (IOT) devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet. As we have in the past, we look forward to contributing to that dialogue."
As of this writing, Dyn's investigation into the attack is still ongoing.