Skip to main content

Flashpoint: Friday’s DDoS attacks were likely conducted by amateur hackers

flashpoint ddos friday hacking attack hackforums hacker shutterstock
Image used with permission by copyright holder
Security firm Flashpoint has provided an “after-action” analysis of the DDoS attacks perpetrated on October 21, and concludes that they were likely carried out by amateur hackers rather than “professionals.” The reasoning is that the latter group would be more likely to seek political or financial gain rather than go after servers hosting the internet addresses of RuneScape and Netflix.

Good point.

The attacks began at roughly 7 a.m. ET last Friday, and focused on data centers owned by Dyn that are located generally in the northeastern portion of the United States. This company provides internet-based domain names to websites. When tons of junk data began to flood those DNS servers, web surfers were unable to access website addresses assigned to services and sites by Dyn.

The flood of junk data was distributed by millions of internet-connected devices, assisted in part by the Mirai malware. This tool trolls the internet for devices with default usernames and passwords still intact, infects these devices, and then opens a doorway for hackers to gain access and use them to send junk data to a specific target.

Websites that faced a virtual outage included PayPal, Twitter, Reddit, GitHub, Amazon, Spotify, and more. The DDoS attacks were carried out in three waves, the latter two of which were reduced in effect because Dyn had beefed up defenses in response to the initial wave. Friday’s attack followed one that recently hit the Krebs on Security site and French internet service provider OVH, which Flashpoint believes has nothing to do with Friday’s attack on Dyn.

It’s worth noting that the websites that were affected by the DDoS attacks were mostly related to entertainment and social media. Flashpoint’s investigation discovered that the underlying foundation used to attack Dyn also targeted a “well-known” video game company. Add all this up, and there’s good reason to believe that Friday’s attacks were carried out by “script kiddies,” a nickname for hackers who frequent online hacking forums.

“These hackers exist in their own tier and are separate and distinct from hacktivists, organized crime, state-actors, and terrorist groups,” the firm reports. “They can be motivated by financial gain, but just as often will execute attacks such as these to show off, or to cause disruption and chaos for sport.”

Flashpoint indicated in its report that it is confident the attacks stem from the English-language hacking forum community. Even more, the firm points to readers and users of the hackforums-dot-net site that play host to “personalities” who use commercial DDoS tools for paid DDoS-for-hire jobs. There’s even one frequent hackforums visitor who is widely known for using Mirai malware and botnets.

“A hacker operating under the handle ‘Anna-Senpai’ released the source code for Mirai in early October, and is believed to have operated the original Mirai botnet that was used in the attack against ‘Krebs on Security’ and hosting provider OVH earlier this month,” the report adds. “The hackers that frequent this forum have been previously known to launch these types of attacks, though at a much smaller scale.”

Had the attacks been powered by monetary or political motives, hackers would have targeted online gambling sites, Bitcoin exchanges, businesses, and so on. Take Anonymous for instance: the group makes political statements by blocking access to a specific entity, such as a government-affiliated website. Additionally, “pro” DDoS attacks can be used to squeeze money out of companies by holding their websites at ransom via blocked traffic. That doesn’t seem to be the case with Dyn and the affected websites.

“The technical and social indicators of this attack align more closely with attacks from the Hackforums community than the other type of actors that may be involved, such as higher-tier criminal actors, hacktivists, nation-states, and terrorist groups,” the security firm concludes.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Cloudflare just stopped one of the largest DDoS attacks ever
Hands on a laptop.

Cloudflare, a company that specializes in web security and distributed denial of service (DDoS) attack mitigation, just reported that it managed to stop an attack of an unprecedented scale.

The HTTPS DDoS attack was one of the largest such attacks ever recorded, and it came from unusual sources -- data centers.

Read more
Microsoft stopped the largest DDoS attack ever reported
Nvidia T4 Enterprise Server Wall

Distributed Denial-of-Service (DDoS) attacks have become more common, and Microsoft recently published a blog post looking into the trends for such attacks on its own servers. In that post, the company says that, at one point, it stopped one of the largest-ever-recorded DDoS attacks on a Microsoft Azure server in Asia.

According to Microsoft's data, in November, an unnamed Azure customer in Asia was targeted with a DDoS attack with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps.) The attack came from 10,000 sources from multiple countries across the globe, including China, South Korea, Russia, Iran, and Taiwan. The attack itself lasted 15 minutes. Yet it is not the first one of such scale, as there were two additional attacks, one of 3.25 Tbps and another of 2.55 Tbps in December in Asia.

Read more
Cloudflare reports a massive 175% increase in DDoS attacks
Person using laptop with security graphics in front.

Cloudflare, a web infrastructure and security company, has just released a report titled "DDoS Attack Trends for Q4 2021." According to Cloudflare, 2021 has been a particularly bad year in terms of DDoS attacks.

Ransom distributed denial of service (DDoS) attacks increased by over 175 percent quarter over quarter, highlighting the large scale of the problem described by Cloudflare.

Read more