Dyn Might Have Been Collateral Damage in Mirai Attack on Gaming Infrastructure

The Mirai botnet launched a record 620 Gpbs attack against Dyn last October, but according to new research the DNS provider may not have been the intended target.

A team of researchers from Google, Cloudflare, Merit Networks, Akamai, and several universities released a report at the Usenix conference last week which analyzed the Mirai botnet and found that the attacker was likely targeting gaming infrastructure, including the PlayStation network, but incidentally disrupted service to Dyn’s broader customer base.

“Although the first several attacks in this period solely targeted Dyn’s DNS infrastructure, later attack commands simultaneously targeted Dyn and PlayStation infrastructure, potentially providing clues towards attacker motivation,” the researchers said. “Interestingly, the targeted Dyn and PlayStation IPs are all linked to PlayStation name servers— the domain names ns<00–03>.playstation.net resolve to IPs with reverse DNS records pointing to ns<1-4>.p05.dynect.net, and the domain names ns<05–06>.playstation.net resolve to the targeted PlayStation infrastructure IPs.”

“The attacks on Dyn were interspersed amongst other attacks targeting Xbox Live, Microsoft DNS infrastructure, PlayStation, Nuclear Fallout game hosting servers, and other cloud servers. These non-Dyn attacks are either ACK/GRE IP floods, or VSE, which suggests that the targets were Valve Steam servers. At 22:17 UTC, the botnet issued a final 10 hour-long attack on a set of Dyn and PlayStation infrastructure. This pattern of behavior suggests that the Dyn attack on October 21, 2016 was not solely aimed at Dyn. The attacker was likely targeting gaming infrastructure that incidentally disrupted service to Dyn’s broader customer base.”

According to the report, game targets were prevalent among the top victims. The most frequently targeted victims were Liberia’s Lonestar Cell, and Sky Network, a Brazilian company that operates servers for Minecraft, as well as 1.1.1.1, which the researchers say was likely used for testing. Other victims included former game commerce site longqikeiji.com and online game Runescape.

“The prevalence of game-related targets along with the broad range of other otherwise unrelated victims share many characteristics with previously studied DDoS booter services,” the report said.