First, there was nothing -- nothing -- surprising about this attack. As Paul Mockapetris, creator of the Domain Name System (DNS), said, "The successful DDoS attack on DYN is merely a new twist on age-old warfare. ... Classic warfare can be anticipated and defended against. But warfare on the internet, just like in history, has changed. So let's take a look at the asymmetrical battle in terms of the good guys (DYN) and the bad guys (Mirai botnets), and realize and plan for more of these sorts of attacks."
IoT vendors must improve their security. Or, as Lyndon Nerenberg, an internet engineer, said on the North American Network Operators Group (NANOG), the professional association for internet engineering, architecture, and operations, mailing list, "The way this will get solved is for a couple of large ISPs and DDoS targets to sue a few of these IoT device manufacturers into oblivion."
IoT vendors know this. Hangzhou Xiongmai Technology, the Chinese technology company that admitted its webcam and digital video recorder (DVR) products were used in the assault and recalled its webcams, is also threatening legal action against those that try to attach blame for the attack to its gear.
Of course, the ISPs and DNS providers deserve much of the blame as well. Their failure to implement Network Ingress Filtering, Best Current Practice (BCP)-38 and response rate limiting (RRL) played a large role in making the attacks possible.
The attacks themselves were in large part, as expected, driven by a Mirai botnet. Kyle York, Dyn's chief strategy officer, reported, "The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack."
Let that sink in for a minute. Tens of millions of IP addresses. DDoS attacks of this size were unheard of even six months ago.
The attack itself came in three waves. York stated, "At 7:00 am ET, Dyn began experiencing a DDoS attack. While it's not uncommon for Dyn's Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different. Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast [Points of Presence] POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET. Again, at no time was there a network-wide outage, though some customers would have seen extended latency delays during that time."
This understates the problem. Globally users reported problems for hours afterwards and many Dyn-supported sites were unavailable until the late afternoon.
Finally, "there was a third attack attempted, we were able to successfully mitigate it without customer impact."
That ended the largest DDoS attack of all time... so far. More will be coming.
As York concluded, "It is said that eternal vigilance is the price of liberty. As a company and individuals, we're committed to a free and open internet, which has been the source of so much innovation. We must continue to work together to make the internet a more resilient place to work, play and communicate."
If we don't, the internet will fail.