On Friday morning, organizations across the internet – including GitHub, Twitter, Spotify, SoundCloud, Reddit, and the New York Times – disappeared after an attack was launched against Dyn Inc., an infrastructure provider that offers managed DNS services. The attack started early Friday morning and has lasted well into the afternoon.
At the time this article was published, most of the East Coast of the United States, as well as data centers in Texas, Washington, and California were experiencing problems or offline completely. Friday’s attack started just before 07:00 a.m. EST, and was mitigated after a few hours. A second attack started a short time later, and has persisted at scale for several hours.
The outage impacted several of the internet’s largest websites, but also services like Amazon. According to statements from Dyn, tens of millions of IP addresses are hitting their infrastructure. The company has a status page for updates.
“The size and scale of recent DDoS attacks has far exceeded what the industry thought was the upper end of the spectrum. This is impacting the entire Internet and no one is completely immune,” said Carl Levine, Sr. Technical Evangelist for managed DNS provider NS1.
Once the attacks started, speculation led many to point the finger at IoT botnets, particular the Mirai botnet. The Mirai botnet has been linked to several massive DDoS attacks, leveraging consumer devices such as cameras, DVRs, and routers. The source code for Mirai was released to the public by its creator after a massive DDoS attack against journalist Brian Krebs.
Earlier this week, researchers scanning the internet for devices that would respond to Mirai located 11.3 million IP addresses with port 23 open.
Reached via phone, Flashpoint Intel told Salted Hash that they’ve observed the Mirai botnet attacking Dyn Inc., but the firm stopped short of saying it was directly responsible for today’s massive outage.
“Flashpoint has observed Mirai attack commands issued against Dyn infrastructure. Analysts are still investigating the potential impact of this activity and it is not yet clear if other botnets are involved. The infrastructure that issues the attack commands is being investigated and reported to the appropriate entities,” Flashpoint said in a statement.
Dale Drew, the CSO at Level 3 Communications, mirrored Flashpoint’s findings, noting that Mirai is involved on some level, but again, no one is saying the botnet is fully responsible. For obvious reasons, no one from Dyn was available to offer additional details or statements.
"Because DNS is vital to every person, business and website across the entire internet for system stability and performance, online businesses commonly outsource DNS management to third-party providers who have better and more reliable infrastructures to operate on behalf of their customers,” explained Jeremiah Grossman, chief of security strategy at SentinelOne.
“Historically, this has worked to everyone's benefit. However, what we're now seeing is that in light of the way the infrastructure works in the security landscape, they are attractive targets for large-scale DDoS attacks - because if you take out one of these DNS service providers, you can disrupt a large number of popular online services, which is exactly what we're seeing today.”
This is a developing story. Updates to this article will follow.
Update: (7:30 p.m. EST 10/21/16)
Discussing today's events, Core Security's Chris Sullivan said:
"The really frightening part of this is not that we will be struggling with these new attacks for some time, but that the underlying weakness which makes them successful - can and will be used to unleash more serious attacks that steal credit cards and weapons designs, manipulate processes like the SWIFT global funds transfers, and even destroy physical things like the 30,000 PCs at Saudi Aramco."
In a blog post, Flashpoint Intel added some additional details to the statement's they've made today:
"Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks...As of 17:30 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks."
Update: (6:30 p.m. EST 10/21/16)
Flashpoint Intel has done additional research and determined that the bots launching the attack against Dyn Inc. are using the Mirai code, but they’re not the same Mirai bots that hit OVH and Brian Krebs earlier this month.
“While Flashpoint has confirmed that Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against ‘Krebs on Security’ and OVH,” Flashpoint said in a statement sent to Salted Hash.
Since the Mirai source code was released earlier this month, copycats have used it to create botnets of their own in order to launch DDoS attacks. Today’s attacks are proof that script kiddies and criminals wasted no time in recycling the Mirai code for their own use.
Update: (6:09 p.m. EST, 10/21/16)
On Twitter, Wikileaks blamed their supporters for the day’s DDoS issues, asking them to “stop taking down the US internet.”
WikiLeaks' claim is a little far fetched.
Prior to their plea, no one suspected or suggested that Friday’s outages were part of some sort of payback against the recent actions that removed internet access from Julian Assange in Ecuador’s Embassy in London.
If anything, today’s attack could be blamed on careless IoT development and vendors making security a secondary requirement over pushing products to market quickly. The issue isn’t new either.
In 2013, Kyle Stone highlighted IoT issues during a talk at DerbyCon. The scary thing is, the issues he discusses in the video below are the same issues the market is faced with today, and some of these issues have only gotten worse.
For now, alternate DNS settings are able to mitigate many of the connection issues.
Google:
- 8.8.8.8
- 8.8.4.4
Open DNS (Recommended):
- 208.67.222.222
- 208.67.220.220
Level3:
- 209.244.0.3
- 209.244.0.4
- 4.2.2.1
- 4.2.2.2
- 4.2.2.3
- 4.2.2.4