Internet of Things vulnerability: Analyzing the 21 October DDoS attack
At roughly 15:50 UTC a second attack began against Dyn’s Managed DNS platform. This attack was more globally diverse, but employed the same protocols as the first attack. Building upon the defenses deployed during the earlier attack and extending them globally, the company was able to substantially recover from the second attack by 17:00 UTC. There was residual impact from additional sources that lasted until approximately 20:30 UTC.
A number of probing smaller TCP attacks occurred over the next several hours and days, but the company’s mitigation efforts were able to prevent any further customer impact.
Hilton notes that during a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic. For example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses. When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. Dyn saw both attack and legitimate traffic coming from millions of IPs across all geographies. It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than the company now knows it to be. Dyn is still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. Dyn is able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.
Early observations of the TCP attack volume from a few of our datacenters indicate packet flow bursts 40 to 50 times higher than normal. This magnitude does not take into account a significant portion of traffic that never reached Dyn due to its own mitigation efforts as well as the mitigation of upstream providers. There have been some reports of a magnitude in the 1.2 Tbps range; at this time the company is unable to verify that claim.
Hilton says that Dyn will continue to conduct analysis, given the complexity and severity of this attack. The company quickly put protective measures in place during the attack, and it is extending and scaling those measures aggressively. Additionally, Dyn has been active in discussions with internet infrastructure providers to share learnings and mitigation methods. The company has also been the beneficiary of analysis by the Internet infrastructure and monitoring community, and says it appreciates the support.
“This attack has opened up an important conversation about Internet security and volatility,” Hilton writes. “Not only has it highlighted vulnerabilities in the security of ‘Internet of Things’ (IOT) devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the Internet. As we have in the past, we look forward to contributing to that dialogue.”
