Researchers at Flashpoint pointed a finger of blame at “script kiddies” for the huge IoT-based DDoS attack that made parts of the internet inaccessible last Friday. In fact, the primary target may have been a “a well-known video game company” that happened to use Dyn for DNS services.
The researchers wrote:
Flashpoint assesses with moderate confidence that the most recent Mirai attacks are likely connected to the English-language hacking forum community, specifically users and readers of the forum “hackforums[.]net.”
The infrastructure used in the attack also targeted a well-known video game company. While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums. These hackers exist in their own tier, sometimes called “script kiddies,” and are separate and distinct from hacktivists, organized crime, state-actors, and terrorist groups. They can be motivated by financial gain, but just as often will execute attacks such as these to show off, or to cause disruption and chaos for sport.
Although Flashpoint never named which specific video game company, it seems like the PlayStation Network may have been the real target.
As Network World's Time Greene pointed out, there is a post on hackforums[.]net which reads: “this is funny, only because they didnt actually attk DYN fun fact DYN was never intentionally attkd until later that day PSN was the target (bf1 release) they used DYN's ns: ns00.playstation.net, ns01.playstation.net, ns02.playstation.net etc.”
Flashpoint does not believe there was any political motivation behind the attacks. Allison Nixon, director of researcher at Flashpoint, shot down theories that The Jester, WikiLeaks or New World Hackers were responsible for the attacks, calling their claims of responsibility “dubious.”
Nixon added, “All the arrows point away from any sort of political motivation,” which hurts “the nation-state argument. Of course, you never know until someone’s got handcuffs on them.”
At the Council on Foreign Relations on Tuesday, National Intelligence Director James Clapper said he also believes a “non-state actor” was behind the attack. Not that everything Clapper says can be considered entirely truthful.
So far, Dyn has refused to speculate regarding motivation or the identity of the attackers. However, Dyn has said its analysis indicated the Mirai botnet was the primary source of “maliciously targeted, masked TCP and UDP traffic over port 53.”
Senator wants ISPs to ban insecure IoT devices from their networks
Senator Mark Warner, a co-chair of the Senate Cybersecurity Caucus, has grown increasingly concerned about the flood of insecure IoT devices; the massive DDoS attack on Dyn DNS, which took down large chunks of the internet on October 21, seems to have been the last straw.
On Tuesday, Warner sent a letter to the FCC, FTC and DHS, pointing out that “manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the product with security in mind, or to provide ongoing support.” And the effectiveness of Mirai depends, “in large part, on the unacceptably low level of security inherent in a vast array of network devices.”
He added, “Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none.”
Although “ISPs cannot prohibit the attachment of ‘non-harmful devices’ to their network,” after the release of Mirai source code and the crippling attack on Dyn DNS, Warner believes it is “entirely reasonable” for “devices with certain insecure attributes” to be “deemed harmful to the ‘network’.” In addition to wanting to know if ISPs can block “insecure” IoT devices from connecting to their networks, Warner asked for answers to another eight questions.
Dyn amends number of Mirai-controlled IoT devices used in DDoS attacks
We saw both attack and legitimate traffic coming from millions of IPs across all geographies. It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.