Exclusive: Mirai Attack Was Costly For Dyn, Data Suggests

New Hampshire based Dyn suffered a big hit following the Mirai botnet attacks, with around 8% of domains that relied on its managed DNS service dropping the service.

In-brief: More than 14,000 Internet domains stopped using managed DNS services from Dyn, the New Hampshire based company, following an October botnet attack on the company, data from Bitsight suggests.

The Mirai botnet attacks that took managed Domain Name System services from New Hampshire based Dyn offline in October caused short-lived pain for Internet users trying to reach popular web sites like PayPal, Twitter, Reddit, Amazon, Netflix, and Spotify.


Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.


The attacks may have had more lasting implications for Dyn – and other Internet companies like it- as new data suggests that around 8% of the web domains relying on Dyn’s managed DNS service dropped the service in the immediate aftermath of the attack.

Approximately 14,500 web domains that used Dyn’s managed Domain Name System services prior to the Mirai attack stopped using them immediately following the attack, according to data compiled by the firm BitSight – a big blow to the company that was on the receiving end of the global Internet of Things botnet attack.

“The data show that Dyn lost a pretty big chunk of their customer base because they were affected by (Mirai),” said Dan Dahlberg, a Research Scientist at BitSight Technologies in Cambridge, Massachusetts. Dahlberg was speaking at an event in Cambridge on January 24.

[Use this form to obtain a link to Dahlberg’s presentation on Dyn.] 

Dyn, which is based in Manchester New Hampshire, provides a managed Domain Name System (DNS) service to a wide range of firms. DNS is a foundational Internet technology that translates human readable domains (like “securityledger.com”) into numeric IP addresses that computers use to send data back and forth.

Mira botnet infections globally. (Image courtesy of Imperva.)

Dyn was recently acquired by Oracle Corporation.

Dyn was one of a handful of organizations that were the victim of a series of distributed denial-of-service (DDoS) attacks starting on October 21st. The attacks were launched by a global population of Internet of Things devices like IP enabled cameras and digital video recorders (DVRs) that had been infected with malicious software known as “Mirai.”

To determine the impact of the Mirai attack on the firm, BitSight, which provides security rating services for companies, analyzed a set of 178,000 domains that were hosted on Dyn’s managed DNS infrastructure before ad immediately after the October 21st attacks. Around 145,000 of those exclusively used Dyn as their managed DNS provider. While around 33,000 used Dyn as one of their authoritative DNS providers.

Following the attack, 139,000 of the 145,000 domains continued to use Dyn exclusively, a loss of 6,000 domains or around 4% of the total. Among those domains that used Dyn along with other managed DNS providers, 25,000 continued to use Dyn after the attack, a loss of 8,000 domains or 24%. The absolute numbers are a sample based on observed domains using Dyn prior to the attack occurring, BitSight said.

Contacted by Security Ledger, Dyn declined to comment on the BitSight figures.

Dahlberg said that the impact of the attacks was felt mostly in industries like entertainment and media, followed by technology. Though companies across the economy relied on Dyn’s managed DNS services, including firms in the aerospace sector, tourism and hospitality and more.

The impact of the botnet attack would have hit companies that exclusively used Dyn’s services the most severely, preventing Internet users who were trying to reach those web sites, hosted web applications and other services from doing so. But the public facing outages may have only been a small part of the total impact, Dahlberg said. Companies using DYN for API (application program interface) or software updates would have been affected in many ways – not just web site availability, he said.

It is unclear whether some of the 14,500 domains that dropped Dyn’s services in the immediate aftermath of the botnet attack may have returned to Dyn.

Dahlberg cautioned, also, that the numbers of domains hosted on Dyn’s infrastructure may be more than the number of customers, as many own more than one domain that used Dyn’s services.
Further, Dyn (no Oracle) offered a number of DNS-related products, including a recursive DNS service. The DDoS attack only affected customers who were using their Managed DNS product, Dahlberg said.

The observations by Bitsight are interesting because it is typically difficult to judge the bottom line impact of incidents like denial of service attacks on businesses. Denial of service attacks are common and can be used for everything from extortion to retribution – as was the case in the attacks on security reporter Brian Krebs’ website krebsonsecurity.com.

And successful attacks like those on Dyn sow fear within the business community said Bruce Gregory*, the CEO of Corsa Technologies, a Ottawa based company that is launching a new hardware appliance to help companies fend off denial of service attacks.

“What we don’t know is how much (cybercriminals) need to use the attack to extract what they want from the people they’re attacking,” he said. “We’re not seeing who is getting threatened with an attack like ‘we’ll take you down if you don’t pay us two Bitcoin’ and who understand that the attack is credible.”

(*) An earlier version of this story misspelled Mr. Gregory’s name. It has been corrected. PFR 2/8/2017