How many Internet of S**t devices knocked out Dyn? Fewer than you may expect

With more time to analyse its logs, DNS provider Dyn reckons about 100,000 Mirai-infected home web-connected gadgets knocked it out last Friday.

In its latest analysis, product executive veep Scott Hilton writes: “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”

Dyn earlier said gizmos hiding behind “tens of millions” of IP addresses were responsible, although stressed the actual number of hijacked webcams, routers and other gear that overwhelmed its servers would be much less. Now we know it's about 100 large, leaving us wondering: “How did the attack succeed?”

One reason, Hilton says, is that DNS itself can tend to amplify requests from legitimate sources: “For example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses. When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume.”

That “relay storm” provided “a false indicator of a significantly larger set of endpoints than we now know it to be”, Hilton explained.

The same effect led to early third-party reports of the scale of the attack traffic: “There have been some reports of a magnitude in the 1.2Tbps range; at this time we are unable to verify that claim.”

Hilton adds the company is working with other Internet infrastructure providers to put response plans in place against future attacks. ®