A DDoS Attack Hit the Dyn Managed DNS: Is Someone Trying To Cause An Internet Takedown?

Pierluigi Paganini
October 24, 2016 by
Pierluigi Paganini

The Cyber Attack

The Internet is one of the most important critical infrastructures for almost every country in the world. It is a "global commons" on which leverage the most important services of modern society.

Are the modern Internet and its infrastructure resilient to any kind of cyber-attack?

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

What will happen in the case of a massive a cyber-attack against its backbone?

In a worst scenario, many critical services will go down causing serious damages to the population.

A few hours ago a massive distributed denial-of-service (DDoS) targeted the Managed DNS infrastructure of cloud-based Internet performance management company Dyn.

The attack had a significant impact on Internet users located in the US that were not able to reach popular web services. The list of affected websites includes Twitter, Spotify, SaneBox, Reddit, Box, Github, Zoho CRM, PayPal, Airbnb, Freshbooks,, Pinterest, Heroku and Vox Media properties.

GitHub has notified its users that its upstream DNS provider is under a massive DDoS that caused problems on a global scale.

Dyn confirmed the DDoS attack against its DNS service that started at 11:10 UTC. The company is still working on mitigating the attack.

The company announced that a DDoS attack hit the Dyn Managed DNS advanced services.

The DDoS attack started at 11:10 UTC, some customers experienced increased DNS query latency and delayed zone propagation during the offensive.

Below is the official Announcement published by the company:

"Update - This DDoS attack may also be impacting Dyn Managed DNS advanced services with possible delays in monitoring. Our Engineers are continuing to work on mitigating this issue. 

Oct 21, 16:48 UTC

Investigating - As of 15:52 UTC, we have begun monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Our Engineers are continuing to work on mitigating this issue.

Oct 21, 16:06 UTC

Monitoring - Services have been restored to normal as of 13:20 UTC.

Oct 21, 13:36 UTC

Update - This attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue.

Oct 21, 12:45 UTC

Investigating - Starting at 11:10 UTC on October 21st-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available. "

In the following graph, it is reported the status of the Twitter service just after the attack, at the time of the writing, the service also was not reachable.

Why is someone attacking the DNS?

DNS act as the authoritative reference for mapping the domain names to IP addresses. It works as an Internet's phone book that maps human-readable domain names to IP addresses.

In the specific case, Dyn DNS is used by many websites and services as their upstream DNS provider.

Figure 2 - Twitter Status (

The attack had apparently a limited impact on the European and Asian Users, I live in Italy, and here we had initially no problems in reaching some of the affected websites. Anyway, at the time I was writing Github is not reachable, and also European users are experiencing the Dyn DNS outage.

Extortion or cyber-attack from a nation-state attack?

DDoS attacks continue to represent a serious threat for against the web services and the overall Internet infrastructure.

Although such kind of attack appears very simple to carry on for the attackers, it is often very difficult to mitigate the threat without the support of companies specialized in DDoS mitigation services.

DDoS attacks are powered by large botnets that are able to launch powerful attacks such as the recent ones that hit the websites of the popular investigators, Brian Krebs, peaking 620 Gbps, and the OVH hosting providers. In this last case, the DDoS attack was powered by the Mirai botnet and reached a magnitude never seen before, it peaked 1 Tbps.

According to security experts, the massive DDoS attack that hit the Dyn DNS service was powered by a huge army of hijacked Internet of Things devices.

The security intelligence firm Flashpoint published an interesting post on the massive DDoS in which confirm that its experts have observed the Mirai bots driving the attack against DynDNS.

"Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs' blog "Krebs On Security" and French internet service and hosting provider OVH." reads the analysis published by Flashpoint "Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. "

Below the Key Findings of the report published by Flashpoint

  • Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
  • Mirai botnets were previously used in DDoS attacks against the "Krebs On Security" blog and OVH.
  • As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.

This is not surprising if we consider that the source code of the botnet was leaked of the popular criminal hacker forum Hackforum earlier October by a user with moniker "Anna-senpai" that shared the link to the source code of the malware "Mirai."

The Mirai Botnet was first spotted by the researcher MalwareMustDie this summer targeting IoT devices, it mainly targets connected objects such as routers, CCTV, and DVRs.

The availability of the source code of Mirai Botnet in the wild theoretically made possible everyone to power a botnet.

Watch out! The Mirai botnet that powered the attack against the Dyn DNS service is not the same used against Krebs's site and OVH.

"While Flashpoint has confirmed that Mirai botnets were used in the October 21, 2016, attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against "Krebs on Security" and OVH. Earlier this month, "Anna_Senpai," the hacker operating the large Mirai botnet used in the Krebs DDoS, released Mira's source code online." continues Flashpoint "Since this release, copycat hackers have used the malware to create botnets of their own in order to launch DDoS attacks."

If you are interested to know more about the diffusion of the Mirai Botnet you can use this online tracker that reports more than 1.2 Million IPs seen associated with devices infected by the Mirai code in the wild. Consider that isn't the exact number of infected devices because many of them use dynamic IPs.

Figure 4 - Mirai Botnet Tracker

The risks of cyber-attacks against the Internet infrastructure are concrete, the global network was not designed to be resilient to so powerful cyber-attacks. Many components in its backbone could be easily targeted by well-funded attackers, such as criminal syndicates or nation-state actors.

According to cyber security expert Brian Krebs, the DDoS attack on DYN comes just hours after DYN researcher Doug Madory presented a talk on DDoS attacks at a meeting of the North American Network Operators Group (NANOG) held in Dallas.

Madory and Krebs conducted a joint investigation on the operators behind a DDoS service, named vDOS.

Krebs criticized DDoS mitigation firms that often ignore such powerful attacks, their magnitude is increasing so quickly that make the actual defense often not efficient to mitigate the threat.

"The size of these DDoS attacks has increased so much lately thanks largely to the broad availability of tools for compromising and leveraging the collective firepower of so-called Internet of Things devices — poorly secured Internet-based security cameras, digital video recorders (DVRs) and Internet routers. Last month, a hacker by the name of Anna_Senpai released the source code for Mirai, a crime machine that enslaves IoT devices for use in large DDoS attacks. The 620 Gbps attack that hit my site last month was launched by a botnet built on Mirai, for example," explained Krebs.

This means that cyber-criminals could be interested in targeting infrastructure with extortion attacks.

"According to a discussion thread started Wednesday on Web Hosting Talk, criminals are now invoking the Mirai author's nickname in a bid to extort Bitcoins from targeted hosting providers.

"If you do not pay in time, DDoS attack will start, your web-services will go down permanently. After that, price to stop will be increased to 5 BTC with a further increment of 5 BTC for every day of the attack," wrote Krebs.

We also cannot underestimate the threat represented by state-sponsored hackers.

Early September the popular cyber security expert Bruce Schneier published an interesting post titled "Someone Is Learning How to Take Down the Internet" that reveals an escalation of cyber-attacks against service providers and companies responsible for the basic infrastructure of the Internet.

The experts were referring coordinated attacks that could be powered by hackers aiming to shut down the Internet. Schneier explained that the attacks that experts are observing are a sort of tests to evaluate the resilience of most critical nodes of the global Internet.

The attacks experienced by the companies need a significant effort and huge resources, a circumstance that suggests the involvement of a persistent attacker like a government, and China is the first suspect.

Our society and its economy heavily depend on technology, and the Internet is the privileged vector of the information today. Blocking the Internet could paralyze countless services in almost any industry, from finance to transportation.

Clearly, an attack against the Internet could also be considered as a possible option for a government in an Information warfare context.

"Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing." wrote Schneier.

"I am unable to give details because these companies spoke with me on a condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex."

It is clear that attackers aim to cause a global blackout of the most common top-level domains paralyzing a large portion of the Internet.

Schneier, who has spoken with companies that faced the attacks, pointed out powerful DDoS attacks that attacks that stand out of the ordinary for their methodically escalating nature.

According to the experts, recent attacks against the Internet infrastructure start with a certain power that increases as time goes by forcing the victims to deploy all its countermeasures to mitigate the threat.

Schneier cited a report titled "VERISIGN-OBSERVED DDoS ATTACK TRENDS: Q2 2016" that confirms worldwide are experiencing a wave of DDoS attacks even more sophisticated.

Figure 5 - Verisign-Observed DDos Attack Trends: Q2 2016

"DDoS Attacks Become More Sophisticated and Persistent DDoS attacks are a reality for today's web-reliant organizations. In Q2 2016, DDoS attacks continued to become more frequent, persistent and complex," states the report.

Schneier also reported other types of attacks against the Internet infrastructure, such as numerous attempts to tamper with Internet addresses and routing.

"One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services," continues Schneier.

Who is behind the attacks?

Schneier speculates that the recent wave of DDoS is powered by a nation-state attacker and he seems to exclude the involvement of hacktivists or cyber criminals, and I agree.

"It doesn't seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It's not normal for companies to do that. Furthermore, the size and scale of these probes — and especially their persistence — points to state actors," explains Schneier.

"The attribution of the attacks is very difficult but according the expert data collected on the events suggests that China is behind them.

"Anyway, we have to consider the difficulty of attribute an attack to a specific threat actor. Attackers use to adopt diversionary strategies and false flags in order to make hard the attribution. Let me also add that other governments have such abilities, Russia is one of them and its experts are also able to hide their operations to the security community.

"Both Russia and China are largely investing in building infrastructures that would be resilient to such kind of mass attacks.

"We don't know where the attacks come from. The data I see suggests China, an assessment shared by the people I spoke with. On the other hand, it's possible to disguise the country of origin for these sorts of attacks."

Unfortunately, DDoS attacks like the one that today hit the Dyn DNS service will likely occur again, and we cannot underestimate the risk that threat actors could also exploit design flaws in the core components of the Internet.

Back to the attack on the Dyn DNS service, I believe the leak of the source code of such kind of botnet could also be part of a wider strategy of a certain category of attackers that intend to power massive attacks making impossible the attribution.

According to a new report from Reuters, the FBI and the Department of Homeland Security (DHS) are investigating the massive DDoS attacks that targeted the DNS provider.

Update – The Culprit, the hacktivism

WikiLeaks confirmed that its supporters launched the massive DDoS attack to protest against the decision of the Ecuadorian government's to cut off the Internet connection of the WikiLeaks founder Julian Assange due to the US Political election leaks.

Yesterday evening I reached the hacking collective NewWorldHacking via Twitter asking them more information about the attack.

The hackers confirmed to me that they started the massive attack against the Dyn DNS service, anyway, they were not alone.

According to the NewWorldHacking, many other groups linked to the Anonymous collective participated in the attack.

When I asked which Anon groups were involved they replied that many crews targeted the Dyn DNS service.

"Anonymous, Pretty much all of Anonymous," says NewWorldHacking.

They confirmed that they are testing the capability of their botnet, highlighting that the DDoS attack against the Dyn DNS Service was carried with the Mirai botnet alongside with other booters.

Most interesting is the motivation that they provided. Not only the Assange's case. They told me that the attack is also a message for the Russian Government.

"If Russia is against the U.S we are against Russia. This is where we draw the line, we are sending a warning message to Russia. "

The information I collected seems to be in line with the statements that the hacktivist groups Anonymous and the NewWorldHacking released to the Politico.


See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.