Dyn says that the DDoS attack that swamped its DNS resolution service last week was backed by far fewer internet of things (IoT) devices than it thought before.
Previously it said it was hit by traffic from tens of millions of IP addresses, some of which were likely spoofed, making the actual number of bots involved far fewer. “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints,” the company says in a status update.
The attacks, which knocked out access to some high-profile Web sites, threw as many packets at Dyn’s infrastructure as it could and the company responded with its own mitigation actions as well as cooperation from upstream internet providers who blocked some of the attack flow. “These techniques included traffic-shaping incoming traffic, rebalancing of that traffic by manipulation of [DNS querying] anycast policies, application of internal filtering and deployment of scrubbing services,” the company says.
Despite these efforts, Dyn says it still suffered waves of packets 40 to 50 times higher than normal traffic, so it doesn’t have direct knowledge of the full volume of the attack. “There have been some reports of a magnitude in the 1.2 Tbps range; at this time we are unable to verify that claim,” writes Scott Hilton, the company’s executive vice president of product.
Since the DNS servers were flooded by request, many of them went unanswered before the time interval allotted to answer them expired. So the querying machines – both legitimate and bot – did retries, generating even more traffic and compounding the effect of the attack, the company says.
“It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be,” the posting says.
While the effects of the attacks were felt publicly less than 24 hours, probing attacks against Dyn continued for days afterward but were handled by the company without significant impact on services.
There are certain aspects of the attack the company won’t talk about. “Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers,” Hilton says.
As has already been confirmed by researchers at other service providers, the main source of the attack was a Mirai botnet. The malware that gathers Mirai bots has been used over the past month to create what is believed to be the largest volume DDoS on record, something over 1Tbps.
Because the source code for Mirai has been posted publicly, this type if attack is likely to continue for the foreseeable future, experts say, with no clear path to stemming the threat.
Dyn says it is working with other infrastructure providers to figure out effective mitigation strategies so attacks like the ones it suffered last week can be brought under control more quickly and with less impact on end users just trying to use the internet.