Bruce Schneier is speculating that state-actors are behind yesterday’s massive DDoS on Dyn. Certainly, as whole parts of the internet went down, it felt very much like this would be how world war three would most likely start.Whilst it is timely, convenient, and tempting to blame this attack on state actors (see: Russia) – and Bruce attempts to proffer vague rationale for this (namely that size, scale, targeting and persistency point to state actors) – I believe this to be insufficiently substantiated and quite possibly wrong.

Moreover, if hastily assumed true, and later disproven, such early allegations risk detracting from the seriousness with which journalists afford future analysis from otherwise sound cyber-experts such as Bruce. There are too few people as it is who are capable of technically understanding the emerging threats we face and speaking human. Anything that detracts from the seriousness with which mainstream media views these analyses of very real advanced persistent threats (APTs) is dangerous and inadvisable.

Here are three reasons to be careful about attributing this attack to an APT:

  1. At least part of the Botnet used in the attack is known to overlap with those previously seen in the ‘Mirai’ botnet. The code powering the Mirai botnet was open-sourced some weeks ago. It is quite possible that this code was used by someone to develop their own mini-Mirai, and combined it with a few other botnets. The technical barrier to doing all this is minimal.
  2. The biggest previous DDoS attacks ever seen have been conducted by pay-to-play operators, not APTs. They conduct high profile attacks on core infrastructure services to ‘prove’ how powerful their botnets are, thus generating publicity for their product and ensuring a steady stream of customers.
  3. There is zero (public) technical evidence pointing to state actors at this point. Where the Verisign’s annual report into the “State of DDoS” reports “in Q2 2016, attacks continued to become more frequent, persistent, and complex”, it is important to realise this doesn’t necessarily point to state actors at all. It is fair to say that virtually every form of cyberattack, underlying web technology, and the Internet of Things more generally, have all become more pervasive, interconnected, and complex.

DDoS attacks have, as a whole, been in relatively unexplored infancy for far too long (relative to other cyber threats). With the barriers to engaging in ‘huge’ attacks still so low, and the tools necessary to pull them off becoming more easily accessible, we caution against hasty attribution to nation-states. Our review of all available public evidence suggests that there is no specific reason to assume this attack may be state-actor in origin.