IoT botnets used in unprecedented DDoS against Dyn DNS; FBI, DHS investigating

Infected IoT devices turned into botnets, at least some controlled by Mirai, were used in multiple DDoS attacks against New Hampshire-based internet infrastructure company Dyn. The attacks against Dyn DNS were similar to some thugs shredding an internet address book, since addresses of thousands of websites couldn’t be looked up and users couldn’t be connected to the right servers. By the third wave of attacks, users across the globe had been affected by the massive disruptions.

+ Also on Network World: How the Dyn DDoS attack unfolded +

The FBI and the Department of Homeland Security (DHS) are investigating the attack on Dyn, one provider of DNS services. A spokeswoman told The New York Times that the FBI and DHS “were looking into the incident and all potential causes, including criminal activity and a nation-state attack.”

The massive DDoS attacks made it impossible for some users to connect to Twitter, Spotify, Reddit, CNN, Etsy, The New York Times, PayPal, some customers on Amazon, Netflix, the Boston Globe, GitHub, SoundCloud, Pinterest, Tumblr and some cable companies, Okta, Sony’s PlayStation Network, The Wall Street Journal and thousands of other sites.

The sites were still there, even though it may have looked like the hosts were down. During the global attacks on Dyn, attackers used hundreds of thousands of infected IoT devices to send millions of junk queries and thereby overwhelm the directory service; Dyn DNS could not look up and provide the IP addresses and then connect users to the sites to browse content. This spawned lots of jokes about forced increases of productivity.

Three waves of attacks

The first wave of DDoS attacks, which occurred Friday morning around 7:10 a.m. EST, affected users on the East Coast. The second wave of attacks, around noon, affected the West Coast, but users as far away as Australia were also affected for about five hours. Bloomberg reported, “At the peak of the attack, average DNS connect times for 2,000 websites monitored by Dynatrace went to about 16 seconds from 500 milliseconds normally.”

Around 5 p.m. during the third wave of Friday’s attack, Dyn told CNBC that the attacks were “well planned and executed, coming from tens of millions of IP addresses at the same time.”

According to Reuters, Amazon’s web services division confirmed that “the issue temporarily affected users in Western Europe. Twitter and some news sites could not be accessed by some users in London late on Friday evening. PayPal Holdings Inc said the outage prevented some customers in ‘certain regions’ from making payments.”

Kyle York, Dyn’s CSO, called the attacks “very smart.” He added, “We start to mitigate, they react. It keeps on happening every time. We’re learning though.”

The “tens of millions” of messages from around the globe were “sent by seemingly harmless but internet-connected devices.” York said, “It could be your DVR, it could be a CCTV camera, a thermostat. I even saw an internet-connected toaster on Kickstarter yesterday.”

Neither Homeland Security nor unnamed intelligence agencies was willing to tell CNBC who might be behind the attacks. White House Press Secretary Josh Earnest was only willing to say DHS was “monitoring the situation” but that “at this point, I don’t have any information about who may be responsible for this malicious activity.”

One week before the attack on Dyn, US-CERT warned about a “heightened DDoS threat posed by Mirai and other botnets.” The other is Bashlite; its source code has not been released to the public.

Who and why?

It’s not clear why Dyn was hit or who did the hitting.

Security journalist Brian Krebs pointed out that the attack came mere hours after Dyn researcher Doug Madory spoke about DDoS attacks at a North American Network Operators Group meeting.

One hacker told Politico that the hacktivist groups New World Hackers and Anonymous had been behind the attacks, which were launched in retaliation for the Ecuadorian government’s decision to cut off internet access for WikiLeaks founder Julian Assange.

The New World Hackers, who are “spread across China and Russia,” told the Associated Press, “We didn’t do this to attract federal agents, only test power.”

Security firm Flashpoint reviewed the “proof” before labeling the group as “imposters.”

Mirai IoT botnet

Flashpoint confirmed that “some of the infrastructure responsible” for the DDoS attacks against Dyn DNS “were botnets compromised by Mirai malware.” Although Mirai targets IoT devices “like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet,” the Mirai botnets used against Dyn were “separate and distinct botnets” than those used to execute attacks against Krebs on Security and the French internet service OVH.

Allison Nixon, director of research at Flashpoint, told Krebs that the attack was “built on the backs of hacked IoT devices—mainly compromised DVRs and IP cameras” made by Chinese XiongMai Technologies. “It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States.”

While some experts suggested multiple botnets were involved in the attack, Flashpoint said “at least one Mirai [control server] issued an attack command to hit Dyn.”

Level 3 also said it “found evidence that roughly 10 percent of all devices co-opted by Mirai were being used to attack Dyn’s servers.” The latest unprecedented DDoS DNS attack is explained here.

A few days ago, Level 3 Threat Research Labs reported that before Mirai source code was released, it had identified about 213,000 bots. There was a 280,000-bot spike, bringing the total to at least 493,000 Mirai bots after the code was released. Most of the malware-infected IoT devices are located in the U.S., followed by devices in Brazil and then Columbia.

As cryptography expert and assistant professor at Johns Hopkins Matthew Green said on Friday about the internet of insecure things: