DYN Mirai

Ironically, October which is National Cybersecurity Safety Month had one of the largest internet attacks to date. The Mirai botnet, brought much of the internet to a halt, and attacked some of the largest globally recognized companies.  Nearly two years ago in Connected,, I spoke of the Internet of Things IoT, and how we are becoming more vulnerable as we add IP enabled devices to our life.

While the cybersecurity attack against DYN took place in October, I feel that the enormity of the event warrants a deeper understanding as to what actually happened.

DYN, located in New Hampshire, offers a cloud base Domain Name Service, DNS. Instead of having to buy servers to manage your website, there are now companies that will manage and maintain the presence of your business.  For example, in order to have a Dot Com name, ThatIsAllForNow, would require that I have DNS running on a server with a static IP.  If you are a company, that has billions of transactions; the DNS infrastructure can be very large and very complicated to manage.  DYN offers to manage the DNS for your establishment as a service, thus a company will pay a monthly fee.

So why choose to attack DYN? DYN has an impressive list of clients, and instead of just being able to attack one entity, the hacker is able to attack many enterprises.  DYN’s client list includes, Twitter, Netflix, National Geographic, Salesforce, LinkedIn, CNBC, redhat, Etsy, and Zillow, just to name a few.  Additionally, the DYN website has use cases tied to many of the companies, explaining how DYN has helped in their IT environment.  By going after DYN, the hacker actually went after all the companies which are connected to DYN.  Targeting the Domain Name Service DNS, is the perfect cyberattack, as I wrote last month, DNS is the primary building block of the Internet foundation.

What did the attack do? The attack against DYN was a Distributed Denial of Service DDoS attack.  The DDoS attack was an attack against the entire managed DNS infrastructure and that means that all clients that DYN manages, were essentially attacked.

A DDoS attack can be explained simply by thinking of airport security. Before you can go through the body scanner, at the airport, you first have to show your ticket to stand in line and wait for your credentials to be inspected by the TSA agent.  The line can become quite a wait as TSA agents inspect each and every credential.  DDoS attacks work similarly.  A data packet arrives and is inspected and a response sent.  But an attacker can flood or send many requests at once to the DNS, which in turn can become overwhelmed in trying to process all the request, and thus taking down the business or in the case of DYN, a substantial portion of the Internet.

Additional points about the DYN attack in October:

First, the malware used against DYN is called Mirai, in Japanese, it means future. Mirai malware, gained access to digital devices that were running Linux, which had not changed the default administrative username and password to the device.  The malware loaded on the device, was a control & command or c&c, which is what we call it in the security space, and I would add, one of the top security concerns in business today.

Second, the digital devices that were infected with the Mirai malware became part of a botnet. The Mirai botnet was made up of one hundred thousand infected devices, which included everything from digital cameras, dvr’s, smart TV’s, and even baby monitors.  The hacker had an army of over one hundred thousand devices within hours.

Third, within the Mirai code, there was a subnet mask, basically addresses, which blocked any infection of the United States Postal Service, USPS, the Department of Defense, the Internet Assigned Numbers Authority IANA, and General Electric, which includes Industrial Control Systems. Personally, this illustrates the granularity of the code, and the possibility of the unknown. What could have been attacked on October 20th, which could interrupt the election in the United States?  It should cause us all to have some concern in this area.

Fourth, it should also be noted, that part of the code includes some Russian strings. Cybersecurity specialists do not know as of yet, who has created this code, but I do find this interesting.

What I wonder is what were they trying to accomplish? Was this a test run?  Why did they exclude certain addresses?  We have an unprecedented election this year.  What would happen if there was an interruption in the vote tally, or in the voting machines, for example?  Could our democracy become undermined?  I do not believe this event was a one off.  I believe they are testing, but testing for what?

It would be a good idea for everyone to go change the administrative default password, for all of you digital devices. While we head into November, it is helpful to remember that while we continue to add nontraditional digital items to our home network, we must remain aware of the vulnerabilities that we will inherently add to the safety of staying safely Connected.

Leave a Reply

Your email address will not be published. Required fields are marked *