Was Mirai malware behind Dyn DDoS attack?

DDoS Attack on screen
(Image credit: Shutterstock)

Mirai, the botnet malware that was made open source at the beginning of this month, was allegedly behind the DDoS attack that took out Twitter, Github and Spotify, among others, on Friday.

The attack, which initially affected the east coast of the US before becoming global later in the evening, used the same IoT-powered malware that knocked security specialist Brian Krebs's website Krebs On Security offline in September, it has been claimed.

In an analysis of the attack, researchers at security vendor Flashpoint claimed they had confirmed that at least some of the infrastructure in the attack was infected by Mirai malware.

Mirai specialises in recruiting IoT devices, such as thermostats, fridges or, as has been identified in this case, webcams to botnets, which are then used to unleash a massive torrent of traffic on the victim - in this case, Dyn.

In a statement, Dyn said it had observed tens-of-millions of discrete IP addresses associated with the Mirai botnet were part of the attack. What, if any, other infrastructure or botnets were involved has not been disclosed by anyone.

In the wake of the attack, Chinese manufacturer Hangzhou Xiongmai has issued a product recall for its webcams in the US after it was revealed the devices were used as part of the attack. It was claimed that easy-to-guess default passwords enabled Mirai to take control of the devices.

In a staement toBBC News, Xiongmai denied its webcams had made up the bulk of the devices involved, saying: "Security issues are a problem facin all mankind. Since industry giants have experienced them, Xiongmail is not afraid to experience them too."

21/10/2016:Major DDoS attack cripples Spotify, Github, Twitter in US

A DDoS attack pulled down Github, Reddit, Twitter, Spotify and other major sites across the US east coast today.

The attack, which targeted servers belonging to DNS provider Dyn, also hit customers such as Etsy, Soundcloud, Heroku and Shopify, according to Hacker News.

Dyn said the attack started at 11.10am UTC, and that by 1.20pm it had restored services to normal.

A statement on its status page said: "We began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available."

When IT Pro approached Dyn for comment, Scott Hilton,executive VP of products, said the cyber attack was "global" in nature, suggesting quite a large botnet could be roped into the effort, but did not say whether Dyn has identified the source of the attack.

In an emailed statement, he added: "DNS traffic resolved from east coast name server locations are experiencing a service degradation or intermittent interruption during this time. Updates will be posted as information becomes available.

"Upon recognition, active mitigation protocols were initiated and have been working to resolve the issues. Customers with questions or concerns are encouraged to check our status page for updates and reach out to our Technical Support Team.

While it was primarily US east coast servers that were affected, some European users also suffered.

User 'Tzaman' wrote in a comment on Hacker News: "I can't access our production servers which are in US east. Can't access Intercom [a communication platform using Dyn's Managed DNS] with which we provide customer support. Our clients are mailing us that payment provider doesn't work either. So we're losing money while being in central EU."

The news comes after cybersecurity guru Bruce Schneier warned that a nation state was hitting key hosting providers of the world's internet with DDoS attacks.

He said: "Someone is extensively testing the core defensive capabilities of the companies that provide critical internet services."

Jane McCallion
Deputy Editor

Jane McCallion is ITPro's deputy editor, specializing in cloud computing, cyber security, data centers and enterprise IT infrastructure. Before becoming Deputy Editor, she held the role of Features Editor, managing a pool of freelance and internal writers, while continuing to specialise in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.