Wikipedia describes Mirai as the tool used to get control of a device. Below I consider the hostile actions of the controlled device especially in the 2016 Oct 21 event, called “the attack” below.

Report by Dyn.

I had to read in the WSJ learn that the attack uses source spoofing. Of course it would but I had not thought of that. It is relevant to the fix.

From the WSJ: “Friday’s attack highlighted how the internet, which is designed to insure its own stability by distributing control of the network across millions of computers, can still prove vulnerable to targeted assault.”

‘Designed’ perhaps, but not well enough.

I think that DNS was not conceived for the original ARPA net in order to provide stable and memorable domain names, despite migration of computers you might want to find. The domain name solution was the opposite of distributed, however. An organization was invented to form and administer a global name space starting with top-level domain names.

That certain big domains were selectively struck, which is reported, suggests that the overwhelmed servers were not DNS servers but “name servers” which specialize in the sub-domains of some institution.

Microsoft’s DNS Architecture provides the history of DNS with explanations and RFC numbers. A “recursive query” is when you send “physics.stanford.edu” and expect an IP address in return. The recursion passes thru the domain name components. An “iterative query” is sent by a name server that is responding to a recursive query on successive longer trailing segments of a full domain name. Such responses provide the IP address of a name server that specializes in domain names ending with queried segment.
I suppose I could read the Mirai sources but instead of that here is what I deduce about that attack from what I read. For each of a few domain names for large institutions, such as Amazon, the attack generates many DNS requests of the form “What is the IP address for “rand.amazon.com” where rand is a different string of some 10 (or so) random lower case letters. The originating IP address in the DNS request is a random 32 bit number for the attack does not really want the answer for there is no machine with domain-name rand.amazon.com.

Somewhere there is a computer X or a few responsible for knowing the IP addresses for all domain names of this form. Its normal legitimate load is quite lite for infrequently used names like that are infrequently sought by DNS. Frequently used names of this form are cached in local name servers. Suddenly the load on X is many orders of magnitude greater for it is queried for each of these bogus requests. Even if other name serves cached negative responses that would just congest their caches because each request is for a new name. I suppose that the company Dyn operates X, for Amazon, and felt responsible for repelling the attack.