October 27, 2016
Scott Hilton, EVP of Product for Dyn, issued a statement today disclosing that a botnet of around 100,000 bots, all IoT devices infected with the Mirai malware, had been the predominant force behind the DDoS attacks on his company.
The company already issued a statement on the incident on Saturday, October 22, but only confirmed that a botnet of Mirai malware-infected devices had participated in the attacks.
Yesterday, in a second statement, Dyn revealed that after an initial analysis of the DDoS traffic, the company had identified around 100,000 sources of malicious junk traffic, all originating from devices compromised and controlled via the Mirai malware.
Hilton also entered in the attack’s technical details, saying the attackers launched a DDoS attack using DNS TCP and UDP packages, which despite being unsophisticated, managed to initially overwhelm Dyn’s protection and cause havoc in its internal systems.
Because the attack targeted its managed DNS service, the company had a hard time distinguishing from legitimate DNS queries and junk DNS data that came in via the DNS flood.
This explanation clears the air around the “tens of millions of IP addresses” remark, which Dyn made on Saturday, which many security researchers disputed.