Business Continuity Management / Disaster Recovery , DDoS Protection , Governance & Risk Management

Guilty Plea in 2016 Dyn DDoS Attack

Attack Took Down Amazon, PayPal, Spotify, Twitter and Others
Guilty Plea in 2016 Dyn DDoS Attack
A map tracking outages resulting from the October 2016 DDoS attack on Dyn (Source:

One of those responsible for the massive Mirai-based DDoS attack launched in October 2016 that targeted domain name resolver Dyn and knocked Amazon, PayPal, Spotify, Twitter and others offline has pleaded guilty to federal charges, according to the U.S. Justice Department.

See Also: Defining a Detection & Response Strategy

The individual, who was not named due to being a juvenile when the offense was committed, pleaded guilty Wednesday to committing acts of federal juvenile delinquency related to committing computer fraud and abuse by operating a botnet and by intentionally damaging a computer, according to the Justice Department.

Sentencing is scheduled for Jan. 7.

"From approximately 2015 until November of 2016, the individual conspired with others to create and operate one or more online botnets to launch cyberattacks against victim computers (specifically targeting those belonging to online gamers or gaming platforms) in order to take those computers offline altogether or otherwise significantly impair their functionality," according to court documents.

The incident took place on Oct. 21, 2016, when the individual and others used a botnet to launch DDoS attacks that took the Sony PlayStation Network's gaming platform offline for a sustained period, the Justice Department says (see: Mirai Botnet Pummels Internet DNS in Unprecedented Attack).

"The DDoS attacks impacted a domain name resolver, New Hampshire-based Dyn Inc., which caused websites, including those pertaining to Sony, Twitter, Amazon, PayPal, Tumblr, Netflix, Southern New Hampshire University and others, to become either completely inaccessible or accessible only intermittently for several hours that day," the Justice Department states.

Federal prosecutors estimate the attack resulted in losses in revenue for all the affected businesses. Sony reported a loss of $2.7 million due to the attack.

Analyzing the Attack

On the day of the attack, security firm Flashpoint issued a report noting a Mirai-based malware was used but the botnet itself was not the same as the malware used earlier that month to attack cybersecurity blogger Brian Krebs' website. The gang behind the Krebs incident publicly released the Mirai botnet code after its attack, Flashpoint reported.

About 100,000 IoT devices are believed to have been involved in the Dyn DNS attack. Researchers at Cloudflare wrote in December 2017 that the widespread nature of the attack was likely accidental because evidence pointed to the attackers intending to take down gaming platforms (see: Botnet Army of 'Up to 100,000' IoT Devices Disrupted Dyn).

"We reached this conclusion by looking at the other targets of the Dyn variant. They are all gaming related. As sad as it seems, all the prominent sites affected by the Dyn attack were apparently just the spectacular collateral damage of a war between gamers," according to the Cloudflare report.

Other Mirai-Related Sentencings

In October 2018, Paras Jha of New Jersey, who was involved in a series of Mirai botnet attacks that were launched between November 2014 and September 2016 against Rutgers University, was sentenced to home incarceration and community service and ordered to pay $8.6 million in restitution.

Previously, Jha; Josiah White, of Washington, Pennsylvania; and Dalton Norman of Metairie, Louisiana; pleaded guilty to creating and operating the original Mirai botnet. Each was sentenced to 2,500 hours of community service and ordered to pay $127,000 in restitution.

DDoS Attacks Continue

Despite many cybercriminals turning their attention to ransomware, DDoS attacks remain a significant threat. The largest such attack on record - at 2.3TB per second - took place earlier this year (see: Analysts Warn: DDoS Attacks Likely to Surge).

Some of those launching DDoS attacks are stealing a page from their ransomware partners by adding an extortion element to their attacks. They launch smaller attacks and then demand a payment to stop them from blocking access to a website.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.