‘Ddos attack by Mirai botnet on Dyn was actually targeting game servers’
Research from various universities and companies, including Akamai, Cloudflare and Google, shows that last year’s DDoS attack on provider Dyn was related to an attack on Xbox Live and the PlayStation Network, among others.
This conclusion appears in the accompanying research, which was recently presented at the Usenix conference. The paper focuses on the Mirai botnet and tracks it over a period of seven months. The botnet was used for attacks on known targets, such as the blog of investigative journalist Brian Krebs and DNS provider Dyn. About the latter attack, the researchers write that it took place between attacks on other targets, such as Xbox Live, PSN and perhaps Valve’s servers.
The authors write, “This pattern of behavior suggests that the October 21, 2016 attack on Dyn was not directed solely at Dyn. The attacker most likely targeted game infrastructure, occasionally affecting Dyn’s services.” They note that the attack was carried out by cluster 6. After the release of Mirai’s source code at the end of September 2016, several variants of the botnet emerged, according to the researchers.
They linked these using active and passive DNS data with different clusters, each of which had its own infrastructure and was probably controlled by different parties. For example, cluster 1 was involved in the major DDOs attacks on Krebs and hoster OVH. Then two other clusters, including number 6, got bigger around mid-October. That turned out to be the largest cluster.
The research also examines other aspects of the Mirai botnet, including the first infection of IoT devices, such as digital video recorders and IP cameras. It turned out that on August 1, 2016, a first ‘bootstrapping’ scan took place from the bulletproof hoster DataWagon. This lasted about two hours. Forty minutes later, the Mirai botnet emerged.
Within the first minute, 834 devices became infected and started scanning for other targets. Within ten minutes, the number of infected devices had risen to 11,000 and after 20 hours, it had risen to 64,500. According to the researchers, this is still slow compared to other worms, such as Code Red and Blaster. The botnet peaked at the end of November with 600,000 infections. By the end of February of this year, the last month of the observations, it had already shrunk to 100,000 devices. Most affected systems were in Brazil, Colombia and Vietnam, followed by China.
Mirai-affected devices and associated passwords