Skip to content
Cyber Breaches
Search
DDoSResolved

Dyn DNS Mirai DDoS attack

A massive Mirai-botnet DDoS attack against managed DNS provider Dyn knocked Twitter, Netflix, Spotify, GitHub, Reddit, and dozens of other major sites offline across the U.S. and Europe, demonstrating how a botnet of compromised IoT devices could disrupt large swathes of the internet.

Part of campaignmirai botnet
Victim
Dyn, Inc.
SectorTechnologyTelecom
CountryUnited States
Threat actorMirai botnet operators
Named attackersParas JhaJosiah WhiteDalton Norman

On 21 October 2016, three waves of distributed denial-of-service traffic struck Dyn, a managed DNS provider whose servers translated domain names for some of the internet's busiest sites. The attack β€” powered by the Mirai botnet of hijacked IoT devices β€” took Twitter, Netflix, Spotify, GitHub, Reddit, Airbnb, PayPal, and dozens more offline for users across the United States and Europe, and made "insecure smart devices" a mainstream security concern overnight.

What happened

Dyn operated authoritative DNS β€” the infrastructure that resolves human-readable domain names into IP addresses. When Dyn's servers became unreachable, browsers could not look up the addresses of any site that relied on Dyn, even though those sites' own servers were perfectly healthy. The result was a cascade of apparent outages across the web.

The traffic came from the Mirai botnet, a network of hundreds of thousands of compromised Internet of Things devices β€” IP cameras, DVRs, and home routers that shipped with default or hard-coded passwords. Mirai scanned the internet for such devices, logged in with a built-in list of common credentials, and enlisted them to flood targets on command. At its peak the Dyn attack drew on tens of millions of IP addresses, with widely reported volumes in the range of 1.2 Tbps.

The attack waves

The assault came in three distinct waves on 21 October:

  1. ~11:10 UTC β€” the first wave struck Dyn's East Coast infrastructure, breaking name resolution for a long list of major customers.
  2. ~15:50 UTC β€” a second, larger wave widened the outage across the U.S. and into Europe. At its height, roughly 75% of monitored global vantage points received no answer to Dyn queries.
  3. ~20:00 UTC β€” a third wave was largely absorbed as Dyn filtered malicious traffic and rerouted.

By 22:10 UTC, after about 11 hours of intermittent disruption, Dyn declared the incident resolved.

Attribution

The Mirai botnet was the creation of Paras Jha, Josiah White, and Dalton Norman, three young men who had built it initially to attack Minecraft servers and rival DDoS-for-hire operations. After Mirai's source code was published online in September 2016 (following a record attack on journalist Brian Krebs), copycat botnets proliferated β€” and it remains unsettled whether the Dyn attack was launched by the original authors or by one of the many derivative botnets. The three creators pleaded guilty to federal charges in December 2017.

Why it matters

The Dyn attack was a watershed for two reasons. First, it showed that DNS is a single point of failure for much of the web: knocking out one managed DNS provider can darken hundreds of unrelated services at once, prompting many large sites to adopt redundant, multi-provider DNS. Second, it made the insecurity of consumer IoT devices undeniable, accelerating regulation such as California's IoT security law (SB-327) and the UK's PSTI Act, which banned default passwords on connected devices. Mirai's template β€” scan, brute-force default credentials, conscript, flood β€” became the blueprint for a generation of IoT botnets that followed.

Timeline

  1. The Mirai source code is published online after powering a record DDoS against security journalist Brian Krebs's site, seeding a wave of copycat botnets.

  2. First DDoS wave hits Dyn's managed DNS infrastructure, disrupting name resolution for major customers on the U.S. East Coast.

  3. A second, larger wave broadens the outage across the U.S. and into Europe; roughly 75% of monitored vantage points see failed Dyn queries at peak.

  4. A third wave is largely mitigated by Dyn as it scrubs malicious traffic and reroutes.

  5. Dyn confirms the attack has been resolved after roughly 11 hours of intermittent disruption.

  6. The U.S. Department of Justice announces guilty pleas from Paras Jha, Josiah White, and Dalton Norman, the creators of the Mirai botnet.

Sources

  1. en.wikipedia.orghttps://en.wikipedia.org/wiki/DDoS_attacks_on_Dyn
  2. justice.govhttps://www.justice.gov/opa/pr/justice-department-announces-charges-and-guilty-pleas-three-computer-crime-cases-involving
  3. thousandeyes.comhttps://www.thousandeyes.com/blog/dyn-dns-ddos-attack
  4. krebsonsecurity.comhttps://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

Related incidents

Supply chainResolved

3CX supply-chain attack (DPRK)

North Korea-linked actors trojanized the 3CXDesktopApp softphone client, distributing the SmoothOperator malware through a legitimately-signed update to a customer base of over 600,000 organizations β€” the first documented cascading software supply-chain compromise, itself enabled by a prior breach of trading software X_TRADER.

Victim
3CX (3CXDesktopApp customers)
Supply chainContained

SolarWinds SUNBURST supply-chain compromise (Cozy Bear)

Russian SVR operators trojanized SolarWinds Orion build infrastructure, distributing a backdoored update to 18,000 customers including the U.S. Treasury, Commerce, DHS, State, and Energy departments. The defining state cyberespionage operation of the decade.

Victim
SolarWinds (Orion customers β€” ~18,000 organisations including 9 U.S. federal agencies and Microsoft, FireEye, Mimecast)
Loss
$100.00B