Wednesday, October 26, 2016

DynDNS DDoS Attack Details

As most of you know, last Friday there was a massive DDos attack on DynDNS.
This attack has prevented the DNS service from responding to all DNS queries for websites that use DynDNS as their DNS service. This caused many websites to become unavailable, including, but not limited to, Twitter, Reddit, Amazon, Netflix, Spotify and many more.

Here are some interesting fact about the attack:
-        The attack was conducted in 3 waves:
o   1st wave (7AM-9AM EST) managed to cause the service to become unavailable for 2 hours.
o   2nd wave (12PM-1PM) managed to cause the service to become unavailable for yet another hour.
o   3rd wave – unsuccessful.
-        At least part of the attack was done by the notorious Mirai malware.
o   This malware attempts to connect to IoT devices using known (default) credentials.
o   All in all more than 60 different credentials are tested. A partial list can be found here:
o   The same malware was used in last month DDoS against the French ISP (OVH) which reached a record high of 1 TBps of a volumetric attack.
-        10s of millions(!) of discrete IP addresses were spotted during the attack.
-        Xiongmai, a Chinese company that makes IOT devices (DVRs, cameras, routers) created millions of vulnerable devices
o   They used the same default user name (root) & password (xc3511) for all their devices
o   Even if users change the default user name and password, the devices support other protocols (Telnet & SSH) with these same credentials hardcoded to the devices’ firmware(!).
That means that there is no patch / solution for that problem for old devices.
o   Xiongmai fixed the Telnet/SSH problem in September 2015, but there are millions of vulnerable devices that are still in use world-wide.
o   The company has issued a recall for all devices, however it’s still likely to see these devices in future DDoS attacks in the near future.

Stay tuned for more updates,
Dan Gurfinkel

Head of Offensive Security & Response Unit