CybersecurityInternet of Things vulnerability: Analyzing the 21 October DDoS attack

Published 27 October 2016

The Friday, 21 October 2016 Distributed Denial of Service (DDoS) has been analyzed as a complex and sophisticated attack, using maliciously targeted, masked TCP, and UDP traffic over port 53. Dyn has confirmed that Mirai botnet was the primary source of the malicious attack traffic. The attack generated compounding recursive DNS retry traffic, further exacerbating the attack’s impact. Dyn says it will not speculate on the motivation or the identity of the attackers, but suggests that, but says that the attack has opened up an important conversation about Internet security and volatility. The attack has not only highlighted vulnerabilities in the security of Internet of Things (IOT) devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the Internet.

The Distributed Denial of Service (DDoS) attack Dyn sustained against our Managed DNS infrastructure this past Friday, 21 October, has been the subject of much conversation within the Internet community. Scott Hilton is the EVP of Product at Dyn, says in a blogpost that when the attack first happened, Dyn’s first priority as a company was to mitigate the attacks and limit its impact on the company’s customers.

During the attack and over the following weekend, Dyn issued a statement and provided extensive comment to the media to keep the public informed. When services were restored to normal, Dyn had the opportunity to conduct additional analysis of the event. In his blogpost, Hilton offers a more detailed timeline of the event and a summary of Dyn’s analysis. The timeline and analysis offered below, however withhold some information pertaining to the company’s customers and the ongoing investigation. Dyn says it will not speculate or comment regarding the motivation or the identity of the attackers.

On Friday 21 October 2016 from approximately 11:10 UTC to 13:20 UTC and then again from 15:50 UTC until 17:00 UTC, Dyn came under attack by two large and complex Distributed Denial of Service (DDoS) attacks against the company’s Managed DNS infrastructure. These attacks were successfully mitigated by Dyn’s Engineering and Operations teams, but not before significant impact was felt by the company’s customers and their end users.

The first attack began around 11:10 UTC on Friday 21 October 2016. The company began to see elevated bandwidth against its Managed DNS platform in the Asia Pacific, South America, Eastern Europe, and U.S.-West regions that presented in a way typically associated with a DDoS attack. As Dyn initiated its incident response protocols, the attack vector abruptly changed, honing in on the company’s points of presence in the U.S.-East region with high-volume floods of TCP and UDP packets, both with destination port 53 from a large number of source IP addresses. The abrupt ramp-up time and multi-vectored nature of the attack led to Dyn’s Engineering and Network Operations teams deploying additional mitigation tactics on top of the company’s automated response techniques. These techniques included traffic-shaping incoming traffic, rebalancing of that traffic by manipulation of anycast policies, application of internal filtering, and deployment of scrubbing services. The company said that mitigation efforts were fully deployed by 13:20 UTC; the attack subsided shortly after.