Mirai Attack on Dyn Internet Infrastructure

A massive DDoS attack crippled a DNS provider on the East coast, denying millions the ability to access many popular websites and services, such as Spotify, Amazon, Twitter, and more. While DDoS attacks are not an uncommon thing for the internet to see, the magnitude of these recent attacks have made an impact on the history of internet attacks.

On Friday, October 21st, an internet infrastructure company known as Dyn, had come under siege to massive Distributed Denial of Service (DDoS) attacks. Dyn was eventually able to mitigate a majority of the malicious traffic and get their services back up and running. The DDoS attacks came to an end, and investigations began pointing to a malware botnet, Mirai, as the culprit.

Mirai is maliciously written software, malware specifically, designed to scour the internet for Internet of Things (IoT) devices and take control of them remotely. An IoT device is a device that can be interconnected with other devices over the internet to send, receive, store, and analyze data, this can consist of anything from a router or webcam to a home refrigerator, or even a toaster. Many IoT devices, such as webcams, that were taken over have Universal Plug and Play (UPnP) enabled. UPnP allows for devices to be connected to a network and automatically obtain an IP address and communicate to other networked devices. A router with a UPnP device connected to it opens a port for the device, enabling the ability to access that device publicly from anywhere outside that network. Once an IoT device has been taken over, it is added to the growing number of bots in what is referred to as a botnet. The Mirai software is hard-coded with a list of manufacturer default usernames and passwords, in hope that once an IoT device has been found, the owner of the device would have not changed the username and password. A majority of the vulnerable hardware devices utilized in this attack were manufactured by one specific company. This hardware was given a hard-coded set of default credentials by the manufacturer, which meant that in most cases, each model IoT device carried the same credentials as every other device of that same model. Once the default credentials are input by the malware, Mirai then is able to gain access to the device and send commands to it whenever the attacker deems fit.

One condition to this malware is that, it must maintain a constant live connection to the device. If a device infected with Mirai is powered off or reset, the malware is no longer on that device, as a result of the dynamic memory being cleared.

A Distributed Denial of Service attack is basically defined in its naming. A Denial of Service (DoS) is anything that causes a disruption in availability making the client unable to utilize specific services. A distributed DoS is done by attacking from multiple locations at one time, making it hard to differentiate the malicious traffic from the regular client traffic.

The Mirai botnet, controlling all of its infected IoT devices, sent waves of malicious traffic from each device to the Domain Name Service (DNS) servers of Dyn, bringing down the name resolution services which allow address routing to websites. The DNS protocol is most simply thought of as a phone-book for the internet. We, as users, know names of websites, such as www.google.com, but we do not know the actual address of that webserver. Just like using a phone book, we know a person’s name and use it to look up their phone number or address. The concept is the same, so to go to www.google.com, we must send a request to a DNS server to obtain the address of the actual website location.  Dyn is a large provider of DNS services to many major companies like Spotify, Twitter, Amazon, and others, which is the reason millions of users were not able to get to the websites of these companies. The company’s websites were not down, but the ability to get to them was disrupted.

The image above, via www.downdetector.com, shows one view of the impact of the Mirai attack on Dyn and the areas that experienced the most disruption of services while attempting to access websites Dyn provides services to.  Its important to take maps like this with a grain of salt and try to really understand what they represent.  In this case, it is showing areas where customers could not resolve DNS names for the servers in question.  Geographical maps of Internet effects can be very deceptive at first glance.

The attack on Dyn was one of the largest DDoS attacks that the internet has seen. The Mirai botnet has also been credited with the launched DDoS attacks on security journalist, Brian Krebs website, www.krebsonsecurity.com, and a France-based hosting provider, OVH. The Mirai malware was publicly released on a hacker forum, giving anyone the ability to create their own botnets to use as cyber weapons.

  • Dyn runs 20 data centers around the world for a combination of both free and paid managed DNS services. Oct 21 saw impacts in 17 of them, many of those, especially for the first portion of the attack, were concentrated in the US East region.
  • Dyn’s DNS service uses anycast, where a single IP address is simultaneously announced from multiple data centers and servers. Each of the constellations shares IP addresses and routing prefixes, meaning that they share peering connections and routes across the Internet. It also means they share congestion during a DDoS attack.
Anycast Graphic
From the excellent anycast explanation from DDI Guru

Anycast DNS played a significant role in this attack and showed how geographical locality can influence purely cyber attacks.  Anycast doesn’t always mean that there will be geographical cause/effect relationships in such an attack, but it did for at least portions of the Oct 21 Dyn attack. This is partially because, more than nearly any other region, the Ashburn, VA area contains a large concentration of network and data center resources.

This post was written by: Steven Day & Mike Thompson