Last October, a flood of traffic from the Mirai botnet brought down major portions of the internet, blocking access to Amazon, Netflix, and other services for most of the northeastern US. It was a painful reminder of the fragility of the internet and the danger of insecure Internet of Things devices — but despite the broad scale of the damage, new research presented today at the Usenix conference suggests the attackers may have just been trying to kick people off PlayStation.
The new report comes from a team of researchers at Google, Cloudflare, Merit Networks, Akamai, and a range of university partners, drawing on data from some of the largest infrastructure networks on the web. Looking at the October attack on DNS provider Dyn, researchers noticed something unusual. All the IP addresses targeted by the attack were nameservers for the PlayStation Network, used by Dyn to connect visitors to the correct IP address. Because of the networked nature of Dyn’s domain registration system, attacking those servers meant attacking the whole system — and when it went down, it brought down access to dozens of other services with it.
During the same period, the same attackers also went after a handful of gaming services. The researchers also detected attacks on Xbox Live, Nuclear Fallout and Valve Steam servers during the same period, suggesting the group was going after a wide range of gaming systems.
“This pattern of behavior suggests that the Dyn attack on October 21, 2016 was not solely aimed at Dyn,” the researchers conclude. “The attacker was likely targeting gaming infrastructure that incidentally disrupted service to Dyn’s broader customer base.”
It’s not the first time researchers have linked the attack to the PlayStation network — many of them spurred by a hackerforum.com thread shortly after the attack — but it’s the first time we’ve had concrete data to back up the claim. It’s hard to know precisely why the attack was launched, but with a long history of cyberattacks on the PlayStation network, it’s plausible that similar motivations were at work.
The Dyn attack wasn’t the last time someone would use Mirai, particularly after the source code for the botnet was made public, making it easy for bystanders to launch their own attacks. In total, the researchers identified more than 15,000 individual attacks made by the same Mirai botnet, targeting more than 5,000 victims across 86 countries.
Some of those targets are clearly gaming related, like a set of Brazilian Minecraft servers that sustained 318 individual attacks, but others have no clear connection to anything. One of the most prominent attacks targeted the Liberian telecom LoneStar Cell, with smaller attacks targeting a Russian cooking blog and the personal website of regional Italian political Mino Moratuolo.