DDoS Attack That Shook Up The World Came From A Small Number Of Devices.

The internet, now, has become a basic human right. More needs to be done for its security.

Most of you  probably know by now that a massive DDoS (Distributed Denial of Service) attack took place about two weeks ago which disrupted more than half of America’s internet.

What you might not know is that the same massive DDoS attack was actually a result of just 100,000 devices working together to bring about such a disturbance.

But these weren’t your average devices such as a toaster or a CRT Television set, these devices were part of the Internet of Things. What that essentially means is that all of these devices were connected to the internet in one way or another.

Not only that, these devices also had security flaws that hackers exploited in order to gain access to sensitive parts of the internet.

How many of us folks could have guessed at the number of IoT (Internet of Things) devices that were involved in the massive DDoS attack that took place two weeks ago, against DNS (Domain Name System) service provider by the name of Dyn?

As indicated before, just a mere 100,000 (which is a pretty small number relatively speaking especially when considering the fact that there are more than 3.5 billion people on earth who access the internet through one device or another ) of these IoT devices were enough to cause an enormous internet outage that affected more than half of America and some part of Europe and South America as well.

Some of you might be thinking right now that we must have missed a zero here and there. But no, it was actually just 100,000 of IoT devices that caused the huge DDoS attack that wiped out the internet for most users in the aforementioned locations.

Services such as Twitter and Facebook were also unavailable to a lot of online users for most of the day when the attack took place.

The following Wednesday (the DDoS attack took place two Friday’s ago) Dyn, a cloud-based Internet Performance Management company, told reporters in the media that a botnet that had an estimated size of 100,000 IoT (Internet of Things) devices was basically hacked by cyber criminals which allowed them to flood the company’s systems with artificial and unwanted requests. That, in turn, shut down the internet for millions of users who resided in the United States of America, Europe and some part of South America.

The massive DDoS attack was the reason why millions of users could not access their favorite websites for hours.

Scott Hilton, who is the executive vice president at Dyn, came out with a statement and said that all compromised internet-connected devices had been infected with a well-known, or rather notorious, Mirai malware that was able to take control of them. Devices such as camera, wireless internet routers along with DVRs all were infected and then hacked.

Hilton also said that the company was still working on analyzing the data but the estimate at the time of the report was up to 100,000 malicious endpoints.

He further added that Dyn was able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.

For those you who don’t know, a Mirai malware essentially scans a network for various Internet of Things devices that are still operating with their default, and in most cases easily guessed, passwords. The malware, after identifying such devices, then proceeds to take control of those internet-connected devices and transforms a big number of them into a botnet.

That botnet, which consists of those corrupted IoT devices, is then used to launch a DDoS attacks, usually at the most critical infrastructure that supports what we know as the internet.

It took Dyn more than 24 hours after the attack, to confirm that a botnet that comprised of Mirai malware-infected IoT devices had caused a giant disturbance through a massive Distributed Denial of Service attack on Friday (that is the Friday on which the attack took place).

Moreover, it was also revealed after some vigorous initial analysis of the internet traffic (that was mostly junk) that caused the DDoS attack that Dyn (the company that had to bear the brunt of the DDoS attack) had identified that an estimated 100,000 internet-connect devices were the source of these malicious DDoS internet traffic.

The Internet Performance company also uncovered that all traffic that originated from these IoT devices was actually contaminated by the Mirai malware.

The new stance taken by Dyn was slightly different from the one that the company took earlier when the DDoS attack was unearthed. Earlier, the company had said that about tens of millions of machines who IP addresses had been identified were actually responsible for the massive DDoS attack that was launched against the company’s vital systems.

As indicated before, the actual number of machines that provoked the attack were much less.

So the obvious question that arises from all of this is this, can anyone explain that if the malicious software wasn’t able to enslave millions of internet-connected devices then how did the DDoS attack get to such a massive level?

Well, let’s see if we can come up with an explanation.

DDoS attacks make use of IoT devices to create a botnet to carry out the attack.

So How Did The Massive DDoS Attack Get So “Massive”?

When the same question was put forward to Hilton he stated that the DNS (Domain Name System) protocol by itself had the capability to augment the service requests that were made from authentic sources.

To further explain the point he gave an example and said that the impact of the DDoS attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches which created ten to twenty times normal traffic volume across a large number of IP addresses.

He continued and spoke about how when the Domain Name System traffic occurred, even the legitimate retries could further contribute to the final traffic volume and hence participate in eventually bringing down a specific service.

Hilton also said that it appeared that the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than the company (Dyn) knew it to be.

Readers might already know that the DDoS cyber attack that took place on Friday (October 21st, 2016) was able to bring down a host of online services such as Twitter, Facebook, and Youtube by overwhelming Dyn’s pivotal role in routing and controlling Internet traffic. Not only that but the DDoS attack also rendered hundreds of other sites and online services including the likes of,

  • Twitter
  • Amazon
  • PayPal
  • GitHub
  • Netflix
  • AirBnb
  • Etsy
  • Reddit
  • Pinterest

useless and unreachable to hundreds of thousands of online users in most parts of the world for a considerable amount of time.

As of now, Dyn has still not disclosed the actual extent of the attack but some industry insiders have been speculating that the Friday DDoS attack that upset key internet infrastructure for millions of users around the world could have been much larger than the one that took place a while back and hit the French internet service and hosting provider OVH.

That attack which hit OVH was reported to have peaked at around 1.1 Tbps (Terabits per second. In other words, a lot) and is still regarded as one of the largest DDoS attacks that has been experienced by any company anywhere on the internet since its creation.

Regarding this attack, Hilton believes that this particular DDoS attack has brought up several important points of discussion and debate regarding Internet security and unpredictability.

Talking to reporters, Hilton was of the opinion that not only had the latest DDoS attack highlighted vulnerabilities in the security system of Internet of Things (IoT) devices that needed to be addressed as soon as possible, but it had also sparked further dialogue in the internet infrastructure community about the future of the internet and its survival as a stable place for work and entertainment.

We’ve Talked About The Future Of The Internet In The Midst Of All These Hackers But What About The Future Of The DDoS Attack?

To put it another way, can the DDoS attack also evolve (just like the internet with regards to its security and stability) to reach more milestones of destruction (like being able to reach, not one, but tens of Terabits per second sent requests)?

Of course, there is a distinct possibility that future DDoS attacks could be much more disruptive and potentially much more dangerous. Some media outlets have already reported that if companies involved with providing the critical infrastructure of the internet do not take their security seriously or if manufacturers of IoT devices continue to neglect their part in ensuring that their devices are cyber attack proof to a larger degree, then the future DDoS attacks could be much much bigger than the one that knocked out the internet access of over a million users on the internet.

As indicated earlier, the largest known DDoS attack sent requests at the rate of 1.1 Terabits-per-second and while that is a huge number in itself, future DDoS attacks could reach tens of terabits-per-second which could damage an even wider range of services and sites on the internet.

Internet network security firms have their work cut out before the next DDoS attack takes place.

At least that is what an online network security firm by the name of Corero thinks. As mentioned before, the DDoS attacks and the cyber criminals responsible for planning and carrying out such DDoS attacks will only get better and more lethal and could hit tens of terabits-per-second in their request size.

Various security firms have reported that they have discovered another new zero-day DDoS attack vector that is installed with the capability to strengthen DDoS attacks by unheard of proportions. Right now the figure being put forward is in the range of 55x.

What that means is that, new DDoS attacks could be larger than the one that affected half of America by a factor of 55. Needless to say, Corero put out the warning rather quickly in the form of a blog post on its official website the following Tuesday.

According to the blog post published by the network security firm, it was stated that the newly discovered attack vector used advanced technologies such as the LDAP, short for Lightweight Directory Access Protocol, which could be combined with other known destructive techniques such as building up an IoT botnet, to surpass the potential hazard record of any previous DDoS attack.

Dave Larson, who works for Corero, explained the phenomenon on the company’s official website by saying that the LDAP (Lightweight Directory Access Protocol) was not the first, and would not be the last protocol or service to be exploited in a fashion similar to what DDoS did with Dyn.

He further added that novel amplification attacks like the one that occurred at Dyn happened because there were so many open services on the internet that would respond to spoofed record queries.

However, he continued, a lot of those attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before those requests were admitted to the network.

You can always go to Corero’s official website in order to read more about DDoS attacks and how are the expected to evolve in the near future.

As far as the end-user is concerned, there are a lot of security measures that can be put in place in order to avoid getting one’s IoT device hacked by cyber criminals.

The most important one and probably the simplest as well, is to change the default password for all of your IoT (Internet of Things) devices. This step alone can protect you and your devices from providing a way to cyber criminals to hack into your device and then use it to perform large-scale DDoS attacks.

Similarly, you can also disable the Universal Plug-and-Play option for many of your IoT devices. While Universal Plug-and-Play option comes in handy on numerous occasions, it doesn’t create a considerable hole in your router’s overall security. In effect, it enables cybercriminals to inject malware in your devices which can then be used to compromise any and every part of your local network.

To read more about the wireless router and wifi network security, be sure that you read up on our in-depth guide here.

And don’t forget to subscribe to securitygladiators.com if you found this story helpful. Also, use the comments section below to let us know your thoughts on DDoS attacks and other cybersecurity related problems that are plaguing the IT industry today.



Zohair Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.