More details are coming out about last week's massive DNS DDoS attack. And although the incident is still under...

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

investigation, domain name server provider Dyn posted a more detailed analysis of the distributed denial-of-service attack.

Initial results indicated the attacks originated from at least one Mirai internet of things (IoT) botnet, and Dyn estimated as many as 100,000 endpoints were involved -- far less than the original report of "tens of millions of IP addresses" -- but enough to generate unverified reports that the volume of the attack traffic reached as high as 1.2 Tbps.

"Early observations of the TCP attack volume from a few of our data centers indicate packet flow bursts 40 to 50 times higher than normal. This magnitude does not take into account a significant portion of traffic that never reached Dyn due to our own mitigation efforts, as well as the mitigation of upstream providers," wrote Scott Hilton, executive vice president of products at Dyn, based in Manchester, N.H., in an updated analysis of the DNS DDoS. "There have been some reports of a magnitude in the 1.2 Tbps range; at this time, we are unable to verify that claim."

Hilton explained the early estimates of tens of millions of IP addresses were due to "the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data, but the estimate at the time of this report is up to 100,000 malicious endpoints."

"We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets," Hilton wrote. "Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers."

Dyn's defense against the DNS DDoS began with its automated-response techniques, but after the magnitude of the attack became clear, Hilton wrote that additional mitigation tactics were used. "These techniques included traffic-shaping incoming traffic, rebalancing of that traffic by manipulation of anycast policies, application of internal filtering and deployment of scrubbing services."

Insight into Mirai IoT botnet Meanwhile, Arbor Networks Inc. researchers provided further insight into the Mirai IoT botnet, finding the original Mirai botnet included roughly 500,000 IoT devices, with clusters around the world, including in China, Hong Kong, Taiwan, South Korea, Southeast Asia, Brazil, Spain and elsewhere. "Mirai is capable of launching multiple types of DDoS attacks, including SYN-flooding, UDP [User Datagram Protocol] flooding, Valve Source Engine query-flooding, GRE [Generic Routing Encapsulation]flooding, ACK-flooding (including a variant intended to defeat intelligent DDoS mitigation systems, or IDMSes), pseudo-random DNS label-prepending attacks (also known as DNS 'Water Torture' attacks), HTTP GET attacks, HTTP POST attacks, and HTTP HEAD attacks," read Arbor's report, authored by Roland Dobbins, principal engineer, and Steinthor Bjarnason, network security research engineer, both at Arbor's ASERT team. "While none of the DDoS attack capabilities of Mirai observed to date are new or unique, it is a flexible DDoS attack-generation system and can launch high-volume, nontrivial DDoS attacks when wielded by a capable attacker. Mirai features segmented command-and-control, which allows the botnet to launch simultaneous DDoS attacks against multiple, unrelated targets."