Dyn confirms Friday DDoS attack was based on Mirai botnet

Downdetector outage map, Oct. 21, 2016 DynDNS DDoS attack
The dreaded red blob: Screenshot of geographic locations from which users reported outages on Level 3's transport network as of Oct. 21, 2016. However, Level 3 said its networks were unaffected during a multiple-wave DDoS aimed at New Hampshire-based Dyn DNS. Map image: Downdetector.com

Dyn, a managed DNS provider to a number of major internet web sites, confirmed that the culprit behind the widespread distributed-denial-of-service (DDoS) cyberattack that caused an internet outage on the East Coast Friday was due to the Mirai botnet.

Mirai malware is a DDoS Trojan that targets Linux systems and, in particular, internet of things (IoT) devices. It uses malware from phishing emails to infect computer or home networks initially and then spreads the virus to various devices to create a robot network.

Devices such as DVRs and IP cameras played a big role in this DDoS because they can be hacked pretty easily and because those devices' hardware contains a root password that most users don't even know about.

In a blog post, Dyn said the DDoS attack involved what it said was 10s of millions of IP addresses and that it is “conducting a thorough root cause and forensic analysis.”

“The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations,” said Kyle York, chief strategy officer for Dyn, in a blog post. “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

Additionally, the attack drove up global DNS connection times for sites in the U.S. and multiple other countries.

A group called "New World Hackers," which claimed it was behind a DDoS attack on the BBC earlier this year, claimed responsibility for the massive cyberattack via Twitter.

Dyn said that the attack began at 11:10 UTC, or 6:10 AM EDT, and impacted its managed DNS service customers on the East Coast. Later, Dyn reported that as of 9:21 AM EDT, “services have been restored to normal,” although sites like Twitter were operating spottily a few hours later amid a few Downdetector and Twitter posts that the DDoS attack may have resumed.

Homeland Security is also looking into the DDoS attacks, which according to various reports affected websites and services including Amazon, Twitter, Netflix, Spotify, PayPal, AirBnb, Reddit, Tumblr, GitHub and the New York Times.

Homeland Security, according to a report in Time, issued a warning that hackers have found ways to infect routers, printers, smart TVs and other connected devices with malware. Once the device is infected with malware, it turns the devices into “bot” armies that overwhelm website servers in DDoS attacks.

Read more on