The massive DDoS attack that disrupted the internet address-lookup service Dyn last week was perhaps pulled off by a script kiddie targeting PlayStation Network and using Mirai malware to assemble a massive IoT botnet, according to research by Flashpoint.
“Flashpoint assesses with moderate confidence that the most recent Mirai attacks are likely connected to the English-language hacking forum community, specifically uses and reads of the forum “hackforums.net,” according to a blog by Allison Nixon, director of security research at Flashpoint.
She says the company has discovered the infrastructure used in the Dyn attack also targeted “a well-known video game company” that she doesn’t name. A post on hackforums.net seems to agree with this possibility. It indicates the target was PlayStation Network and that Dyn was hit because it provides DNS services to PSN. Going after the name servers (NS) that provide lookups for PSN would prevent traffic from reaching PSN.
The hackerforum.com post reads: “this is funny, only because they didnt actually attk DYN fun fact DYN was never intentionally attkd until later that day PSN was the target (bf1 release) they used DYN's ns: ns00.playstation.net, ns01.playstation.net, ns02.playstation.net etc.” This was posted by someone with the screen name qbotwithasupermicroontop.
Nixon writes that one actor who claims to be behind distribution of Mirai – screen name Anna-Senpai – also participates in these hacker forums. “The hackers that frequent this forum have been previously known to launch these types of attacks, though at a much smaller scale,” she writes.
These factors combine to make her think it’s likely someone on hackerforums.net behind the Dyn attack, she says. “These hackers exist on their own tier, sometimes called ‘script kiddies,’ and are separate and distinct from hactivists, organized crime, state-actors, and terrorist groups,” according to the blog.
Political actors, criminals and terrorists don’t fit the bill, she says, because they usually have readily discoverable political, financial or strategic goals, “and they are very unlikely to launch an attack against a video game company.”
There have been no public indicators of extortion against Dyn, which would indicate criminals. Since Dyn serves a broad range of customers, knocking out its service “does not disproportionately affect any one political entity, so she rules out political actors.
Nick Kephart, network outage analyst at ThousandEyes, says Nixon’s analysis sounds plausible, although firing off an enormous amount of DDoS traffic at Dyn to affect just one customer is overkill. A smaller attack against the specific customer would have been more efficient, he says, and likely would have been an easier target. Plus Dyn is one of the best suited internet organizations in the world to defend itself against DDoS attacks, he says.
Meanwhile, Martin McKeay, security evangelist for Akamai, says that he thought the attack might have been against a Dyn customer and that taking down Dyn was a way to mask who the actual target was.
Knocking out Dyn’s customers’ public Web servers could also have been a distraction – getting the victim to spend so much time dealing with lost Web commerce, for example, that another, more targeted attack, went unnoticed, he says. “If I was a secondary victim whose DNS was affected by this? I’d take a close look at my logs,” he says, for signs of other attacks.
He also the number of IoT devices involved in the attack is grossly over estimated. Dyn has said it was tens of millions. McKeay says he thinks it was likely hundreds of thousands spoofing more than one IP address to make it more difficult to block all the incoming DNS queries. “I would be hard pressed to believe there were tens of millions,” he says.
Earlier estimates put the number of devices in the Mirai botnet that took down the Krebs on Security Web site at just south of 400,000, but that’s orders of magnitude smaller than the tens of millions Dyn claims. “I can’t imagine it’s gone from 380,000 to tens of millions in three weeks,” he says.
That assessment is backed up by other experts. Because many of the internet of things (IoT) devices – security cameras, DVRs, routers – use dynamic IP addresses, the number of IP addresses recorded attacking Dyn would be greater than the actual number of devices, according to Kephart.