DDoS On Dyn Used Malicious TCP, UDP Traffic

Dyn confirms Mirai IoT botnet was primary source of the attack, with some 100,000 infected devices sending the bogus traffic.

Domain Name Service (DNS) provider Dyn today provided new details about the massive distributed denial-of-service (DDoS) attack on Oct. 21 it suffered that disrupted major websites including Okta, CNN, Pinterest, Reddit, and Twitter, and confirmed that the infamous Mirai botnet was the main culprit.
Scott Hilton, executive vice president of product for Dyn, in a blog post said the attackers employed masked TCP and UDP traffic via Port 53 in the attack as well as recursive DNS retry traffic, further exacerbating its impact, he said.
Dyn also confirmed that the widely suspected Mirai botnet was a primary source of the DDoS attacks, which came in multiple waves and affected various websites for nearly nine hours on Friday.
TCP is interesting ... prior threats and big DDoSes tended to be UDP-amplification attacks that require spoofing, says John Bambenek, threat systems manager at Fidelis Cybersecurity. Theres so much crap out there with default passwords.
Default credentials indeed are one of the main culprits that allowed the attackers to use an army of online cameras, DVRs, and other equipment in the attacks, according to security experts.
But the big question of who was behind the crippling attack on the DNS provider remains under investigation. Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers, Dyns Hilton said in the post.
The DDoS attacks came in traffic bursts that were 40- to 50 times normal flows, he said. This magnitude does not take into account a significant portion of traffic that never reached Dyn due to our own mitigation efforts as well as the mitigation of upstream providers, Hilton said.
The attackers also waged some smaller probing TCP attacks in the hours and days after the big attack, but Dyn was able to mitigate them.
He noted that the DNS traffic sent in the DDoS attacks also generated legitimate DDoS retry traffic, making the attack more complicated to parse, and the attack generated ten- to 20 times the normal DNS traffic levels thanks to malicious and legit retries.
During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic, he said in
the post
. When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies.
Most of the attack came from Mirai-based botnets, using an estimated 100,000 infected devices.
Related Content:
Root And The New Age Of IoT-Based Attacks
DDoS Attack On DNS Provider Disrupts Okta, Twitter, Pinterest, Reddit, CNN, Others
2016 DDoS Attack Trends By The Numbers
Poorly Configured DNSSEC = Potential DDoS Weapon
IoT DDoS Attack Code Released

Black Hat Europe 2016 is coming to Londons Business Design Centre November 1 through 4. Click for information on the
briefing schedule
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
DDoS On Dyn Used Malicious TCP, UDP Traffic