[snowy]

Can any one explain why they keep referring to this as a complex attack? From the article it seems to be a simple volumetric attack. They mention that it uses UDP port and TCP port 53, nothing complex about that...

Am I missing something here. It wasn't an L7 attack (or was it?) Why keep referring to it as complex?

[chjohasbrouck]

I think the market's expectation is that a DNS provider is prepared for a DDoS of any size, but not necessarily any level of complexity, so that's a lot of incentive to talk up the complexity of the attack.

What's described in this incident report is totally within the capabilities of a single individual with public knowledge, though. If they could have proven otherwise, they probably would have (unless that somehow conflicted with their criminal investigation).

[colonelxc]

Much of the complexity is likely in building and managing such a large botnet.

There also isn't a lot of details here on the exact nature of the traffic. They say it was hard to distinguish between legitimate traffic and this malicious traffic. So the botnet is at least rotating their requests through lists of customers hosted with them (though that isn't complex, but it is forward thinking. If the botnet was all making non-stop requests for just a few domains, that would be a strong signal to start filtering traffic, first internally, then pushing ISPs to block it upstream).

[rasz_pl]

Its the alternative of "state actor haxored us". Marketing BS.

[marmot777]

There are two different things. Please correct me if I'm wrong on this:

1. Device backdoor open Port 23 (telnet), used to take over loT devices.

2. The loT devices attacked through Port 53 (DNS).