Security firm Flashpoint has provided an “after-action” analysis of the DDoS attacks perpetrated on October 21, and concludes that they were likely carried out by amateur hackers rather than “professionals.” The reasoning is that the latter group would be more likely to seek political or financial gain rather than go after servers hosting the internet addresses of RuneScape and Netflix.
The attacks began at roughly 7 a.m. ET last Friday, and focused on data centers owned by Dyn that are located generally in the northeastern portion of the United States. This company provides internet-based domain names to websites. When tons of junk data began to flood those DNS servers, web surfers were unable to access website addresses assigned to services and sites by Dyn.
The flood of junk data was distributed by millions of internet-connected devices, assisted in part by the Mirai malware. This tool trolls the internet for devices with default usernames and passwords still intact, infects these devices, and then opens a doorway for hackers to gain access and use them to send junk data to a specific target.
Websites that faced a virtual outage included PayPal, Twitter, Reddit, GitHub, Amazon, Spotify, and more. The DDoS attacks were carried out in three waves, the latter two of which were reduced in effect because Dyn had beefed up defenses in response to the initial wave. Friday’s attack followed one that recently hit the Krebs on Security site and French internet service provider OVH, which Flashpoint believes has nothing to do with Friday’s attack on Dyn.
It’s worth noting that the websites that were affected by the DDoS attacks were mostly related to entertainment and social media. Flashpoint’s investigation discovered that the underlying foundation used to attack Dyn also targeted a “well-known” video game company. Add all this up, and there’s good reason to believe that Friday’s attacks were carried out by “script kiddies,” a nickname for hackers who frequent online hacking forums.
“These hackers exist in their own tier and are separate and distinct from hacktivists, organized crime, state-actors, and terrorist groups,” the firm reports. “They can be motivated by financial gain, but just as often will execute attacks such as these to show off, or to cause disruption and chaos for sport.”
Flashpoint indicated in its report that it is confident the attacks stem from the English-language hacking forum community. Even more, the firm points to readers and users of the hackforums-dot-net site that play host to “personalities” who use commercial DDoS tools for paid DDoS-for-hire jobs. There’s even one frequent hackforums visitor who is widely known for using Mirai malware and botnets.
“A hacker operating under the handle ‘Anna-Senpai’ released the source code for Mirai in early October, and is believed to have operated the original Mirai botnet that was used in the attack against ‘Krebs on Security’ and hosting provider OVH earlier this month,” the report adds. “The hackers that frequent this forum have been previously known to launch these types of attacks, though at a much smaller scale.”
Had the attacks been powered by monetary or political motives, hackers would have targeted online gambling sites, Bitcoin exchanges, businesses, and so on. Take Anonymous for instance: the group makes political statements by blocking access to a specific entity, such as a government-affiliated website. Additionally, “pro” DDoS attacks can be used to squeeze money out of companies by holding their websites at ransom via blocked traffic. That doesn’t seem to be the case with Dyn and the affected websites.
“The technical and social indicators of this attack align more closely with attacks from the Hackforums community than the other type of actors that may be involved, such as higher-tier criminal actors, hacktivists, nation-states, and terrorist groups,” the security firm concludes.