Meanwhile, Martin McKeay, security evangelist for Akamai, says that he thought the attack might have been against a Dyn customer and that taking down Dyn was a way to mask who the actual target was.
Knocking out Dyn’s customers’ public Web servers could also have been a distraction – getting the victim to spend so much time dealing with lost Web commerce, for example, that another, more targeted attack, went unnoticed, he says. “If I was a secondary victim whose DNS was affected by this? I’d take a close look at my logs,” he says, for signs of other attacks.
He also the number of IoT devices involved in the attack is grossly over estimated. Dyn has said it was tens of millions. McKeay says he thinks it was likely hundreds of thousands spoofing more than one IP address to make it more difficult to block all the incoming DNS queries. “I would be hard pressed to believe there were tens of millions,” he says.
Earlier estimates put the number of devices in the Mirai botnet that took down the Krebs on Security Web site at just south of 400,000, but that’s orders of magnitude smaller than the tens of millions Dyn claims. “I can’t imagine it’s gone from 380,000 to tens of millions in three weeks,” he says.
That assessment is backed up by other experts. Because many of the internet of things (IoT) devices – security cameras, DVRs, routers – use dynamic IP addresses, the number of IP addresses recorded attacking Dyn would be greater than the actual number of devices, according to Kephart.
Sign up for Computerworld eNewsletters.