Dyn DNS DDoS attack was likely the work of 'script kiddies', not state actors, Flashpoint says

The massive Mirai DDoS attack that knocked a slew of major websites offline last Friday (21 October) was most likely the work of amateur hackers, not a nation-state or cybercriminal organisation, security firm Flashpoint said. The unprecedented series of DDoS attacks targeted DNS provider Dyn by compromising hundreds of thousands of web-connected devices using a malware called Mirai to create a massive botnet. The attack took down a number of websites including Paypal, Twitter, Reddit, Amazon and Netflix.

Various entities have claimed responsibility for the attack, including a hacking group called the New World Hackers. WikiLeaks also tweeted that some of its supporters may have been responsible for the outage. Well-known grey hat hacker "the Jester" claimed that Russia was behind the attack.

The security firm, however, dubbed their claims "dubious" and "likely to be false".

During its investigation of the cyberattacks, Flashpoint researchers found that the infrastructure used in the attack also targeted a well-known gaming company.

"While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums," the researchers wrote. "These hackers exist in their own tier, sometimes called 'script kiddies,' and are separate and distinct from hacktivists, organized crime, state-actors, and terrorist groups.

"They can be motivated by financial gain, but just as often will execute attacks such as these to show off, or to cause disruption and chaos for sport."

The firm assesses that the recent Mirai attacks were likely connected to the users and readers of the English-language hacking forum "hackforums[.]net," where "personalities" are known for creating, using and offering commercial DDoS tools called "booters" and "stressers" for paid DDoS-for-hire jobs.

One known personality that has previously been associated with Mirai malware and botnets is known to frequent these forums, the researchers said. Going by the handle "Anna-Senpai", the hacker released the source code for the Mirai malware earlier in October and is believed to have operated the original Mirai botnet targeting security researcher Brian Krebs in September as well as hosting provider OVH.

Given the broad scope of the targets, the researchers also argue that there does not seem to be a financial or political motive behind the attack.

"Dyn DNS is a central target whose outage would affect a wide variety of websites and online services, and does not disproportionately affect any one political entity," the researchers said. "Such a broad scope of targeting does not lend itself to a politically motivated attack."

The security firm says the development of IoT botnets in recent years has enabled hackers to launch DDoS attacks on a scale that was previously deemed impossible, resulting in the creation and use of enormous Mirai botnets with deadly potential for disruption.

Dyn confirmed on Wednesday that a Mirai botnet was the primary source of the malicious attack's traffic to take down its network.

"During a DDoS which uses the DNS protocol it can be difficult to distinguish legitimate traffic from attack traffic," Scott Hilton, executive vice president of products at Dyn, wrote in a blog post. "When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume. We saw both attack and legitimate traffic coming from millions of IPs across all geographies."

The company added that it will continue to "conduct analysis, given the complexity and severity of the attack". The Department of Homeland Security and the FBI said they were investigating the cyberattack, but did not provide any details about possible suspects.

"This attack has opened up an important conversation about internet security and volatility," Hilton said. "Not only has it highlighted vulnerabilities in the security of "Internet of Things" (IOT) devices that need to be addressed, but it has also sparked further dialogue in the internet infrastructure community about the future of the internet."