On October 21, 2016, large parts of the internet became unreachable for users across the eastern United States and beyond. Twitter, Reddit, Netflix, Spotify, GitHub, PayPal, and dozens of other major sites would not load, not because those sites had failed, but because the service that translated their names into addresses had been knocked offline. The target was Dyn, a managed DNS provider that many of these companies relied on to answer the domain-name lookups that every connection begins with.
The weapon was Mirai, a botnet built from compromised internet-of-things devices. The US-CERT (CISA) alert TA16-288A, “Heightened DDoS Threat Posed by Mirai and Other Botnets,” describes how the Mirai malware continuously scans the internet for IoT devices such as cameras, routers, and digital video recorders, and infects those still using factory-default or weak credentials. The advisory documents the same malware family powering record-setting attacks in the weeks before, including a roughly 620 Gbps assault on the security blog of Brian Krebs, and warns that these poorly secured devices made large new sources of attack traffic available.
Because DNS is a prerequisite for reaching almost any site, attacking a DNS provider is an efficient way to take down many targets at once. When Mirai-infected devices flooded Dyn’s infrastructure with a deluge of malicious queries, legitimate lookups for Dyn-hosted domains failed, and to users it looked as though every affected site was down simultaneously. The disruption came in successive waves through the day as the attack was mitigated and then renewed, prolonging the outage.
What made the event a turning point was the source of the firepower. Earlier large attacks had typically been built from compromised servers or PCs; Mirai showed that the explosion of cheap, internet-connected gadgets, shipped with default passwords and rarely updated, formed an enormous reservoir of attack capacity controlled by whoever could log in. The fact that the Mirai source code had been published publicly shortly before the Dyn attack meant many actors could build their own botnets.
The Dyn incident drove home a structural lesson about the internet’s name system: concentrating DNS on a single provider creates a chokepoint, and many large operators responded by spreading their domains across multiple independent DNS providers so that one overwhelmed service could not take everything down. It also intensified scrutiny of IoT security, since the devices doing the flooding were ordinary consumer hardware that their owners never knew had been conscripted. In its reliance on insecure devices and a published worm-like scanner, Mirai stands in a long line that traces back to early self-propagating network malware.