Dyn, the domain name system provider attacked Friday, has just published new detail on the incident that took down major web services like GitHub and Twitter.
Dyn substantially lowered its estimate of the size of the botnet used in the attack to about 100,000 nodes, from an earlier estimate of tens of millions of infected devices. The company’s update also reveals attackers continued to probe the company’s defenses with a series of small attacks for days after the initial attacks were resolved.
A botnet is a network of hijacked devices used to unleash a flood of data, overwhelming servers. If the botnet were composed of tens of millions of devices, as Dyn originally estimated, the potency of the hackers’ attacks would have been significantly greater. The current figure tallies with other estimates of the number of devices worldwide susceptible to this sort of abuse (this map suggests there are 186,000 vulnerable devices globally).
The size of the botnet was initially overestimated because DNS servers automatically attempt to refresh their content during a disruption. Constant refreshing of caches by servers contributed to the torrent of data, ultimately worsening the attack. It also obscured the origin of the attack, making it difficult for Dyn to figure out what was and wasn’t malicious traffic, the company’s update said.
Dyn’s analysis showed the hackers modified their attacks several times in a sophisticated and concerted effort to prolong the disruption. The attacks used devices controlled by the Mirai malware, which hijacks internet-connected video cameras and other internet of things devices, Dyn confirmed.
“A significant volume of attack traffic originated from Mirai-based botnets,” the company wrote.
The firm was not able to confirm the amount of traffic directed at its servers; the current record stands at over 600 gigabits per second, used against security journalist Brian Krebs in September. Dyn said only it recorded traffic bursts of up to 50 times higher than normal (although it didn’t specify what the “normal” level is), and that this figure is likely to be an underestimate because of the defensive measures Dyn and other service providers implemented to filter the malicious traffic. The firm also refused to comment on the identity of the attackers, saying only it is working with law enforcement on a criminal investigation.