by James Scott, Sr. Fellow, ICIT and Drew Spaniel, Researcher, ICIT
Throughout the morning, DYN has released statements indicating that the issue has been resolved only to have the servers crash within the following hour. Without inside information, two hypotheticals exist to explain the heat map and the disruption. First, it is possible that DYN mitigated the DDoS but has since been overwhelmed by the sudden influx of user traffic. The disruptions on the West Coast and in other countries would be due to server overload caused by DYNs attempts to balance their traffic without the targeted East Coast servers. Second, and more indicative of the following information, it is possible that DYN has been hit with multiple waves of increasing DDoS traffic in a sophisticated multi-layered attack meant to probe their defenses.
The attack against DYN is significant because it follows a trend that has been developing over the past year or so; the use of mobile and IoT devices in precision Distributed Denial of Service attacks against global root name servers and internet providers using a disciplined probing methodology that tests and scales with the victim’s defense and that delivers unprecedented amounts of traffic. Today’s attack is not the first such attack. For instance, in December 2015 cyber-jihadists or threat actors masquerading as cyber-jihadists redirected the traffic of 18,000 mobile devices that had downloaded the Amaq Agency application, against 13 root name servers supporting the global internet. In his September 13, 2016 blog post, Bruce Schneier reported on a sophisticated DDoS campaign targeting major companies and servers supporting the internet, by probing their defenses with increasing DDoS traffic until the point of failure was discovered. Within the last few weeks, Brian Krebs blog was targeted with a 620 Gbps DDoS attack and French hosting company OVH was targeted with a 1.1 Tbps attack. Interestingly enough, this morning’s attack occurred hours after Doug Madory presented a talk on DDoS attacks in Dallas, Texas for the North American Network Operators Group (NANOG). The lecture was based on the research of Madory and Krebs for the story “DDoS Mitigation Firm has History of Hijacks.”
The attack does not expose a new significant vulnerability, but it is demonstrative of a well-known vulnerability in the structure of the internet. Simply put, the internet in its original and modern form was not designed with security in mind; consequently, the DNS servers and other critical infrastructure supporting the global internet have always been tantalizing targets to malicious adversaries intent on disrupting services. Now, it seems that an adversary has developed those capabilities. The 620 Gbps attack on Brian Krebs blog was achieved through the Mirai botnet available in source code form on Deep Web. Mirai directs traffic from infected IoT devices at specific targets. It is possible that the same code, or a similar tool was leveraged against DYN today. The disciplined methodology of the attacker and the precision of the attack indicates that the threat actor may be an opportunistic nation state advanced persistent threat actor; likely orientating in Russia or China.