Millions of internet users temporarily lost access to some of the world’s most popular websites Friday, as hackers hammered servers along the U.S. East Coast with phony traffic until they crashed, then moved westward.
In what is believed to be a coordinated attack on one particular Domain Name Server provider, the hack took down sites including Twitter, Spotify, Reddit, CNN, Etsy and The New York Times for long stretches of time, from New York to Los Angeles.
Unlike data breaches, the latest so-called distributed denial-of-service (DDoS) attack didn’t steal anything. It just caused big headaches for everyone affected, especially Manchester, New Hampshire-based Dyn Inc.
Dyn first reported site outages relating to the DDoS attack at around 7:10 a.m. New York time. The company restored service two hours later but was offline again at around noon, as another attack appeared to be underway, this time affecting the West Coast as well.
“Our engineers continue to investigate and mitigate several attacks aimed against the Dyn Managed DNS infrastructure,” the company wrote on its web site shortly before 2 p.m.
Though routine, DDoS assaults on companies like Dyn are on the rise in volume and power. The latest comes the day after Doug Madory, Dyn’s director of Internet Analysis, gave a presentation at an industry conference about research he had done on questionable practices at BackConnect Inc., a firm that offers web services, including helping clients manage DDoS attacks. According to Madory, BackConnect had regularly spoofed internet addresses through a technique known as a “BGP hijack,” an aggressive tactic that pushes the bounds of accepted cyber-security industry practices.
Madory’s research was conducted with Brian Krebs, a well-known writer on computer-security issues, who also published an article based on the research last month. Within hours, his website was hit by a “extremely large and unusual” DDoS attack, he wrote.
The barrage likely originated with a large amount of poorly secured devices like internet-connected cameras, routers, and digital video recorders, according to an analysis of the attack on Krebs’s site. These devices, collectively referred to as the “Internet of Things,” have been the source of DDoS onslaughts since early 2015, Flashpoint and Level 3 Threat Research Labs said in a report published last month.
BackConnect has denied having any connection with the incident involving Krebs’s website, and didn’t immediately respond to a request for comment Friday. Krebs wrote on his blog that he had no evidence that the attacks on Dyn were related to Madory’s research. Dyn didn’t respond to requests for comment.
With attacks on the Internet’s Domain Name Servers, hackers compromise the underlying technology that governs how the web functions, making the hack far more powerful and widespread.
The DNS translates website names into the Internet Protocol addresses that computers use to look up and access sites. But it has a design flaw: Sending a routine data request to a DNS server from one computer, the hacker can trick the system into sending a monster file of IP addresses back to the intended target. Multiply that by tens of thousands of computers under the hackers’ control, and the wall of data that flooded back is enormous. A small server may be capable of handling hundreds of simultaneous requests, but thousands every minute cause overload and ultimately shut down, taking the websites it hosts offline with it.
The practice often is employed by groups of hackers. In 2012, a DDoS attack forced offline the websites of Bank of America Corp., JPMorgan Chase & Co., Citigroup Inc., Wells Fargo & Co., US Bancorp and PNC Financial Services Group Inc.
A DDoS can be achieved in a number of ways, but commonly involves a distributed network of so-called “zombie” machines, referred to as botnets. A botnet is formed of personal computers in homes or offices infected with malicious code which, upon the request of a hacker, can start flooding a web server with data. One or two machines wouldn’t be an issue, but if tens or hundreds of thousands fire such data simultaneously, it can be enough to cripple even the most sophisticated of web servers.
In the case of the Dyn incident, the computers targeted were DNS servers. Without a DNS server, large numbers of websites are inaccessible by users across a country or even the world. In other words, taking away the DNS servers is like taking away all the road signs on a country’s highway system.
Single Company Targeted
“I would suspect there was a single company being attacked, and everybody else who was on the same service also experience outages,” said Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company. “That would explain why other authoritative services were not being attacked.”
So-called “authoritative” DNS providers like Dyn are notoriously hard to secure. Herberger likens them to hospitals, which must admit anyone who shows up at the emergency room. Dyn must consider traffic going to a website as initially legitimate. In the event of a DDoS, Dyn must work quickly to sort out the bad traffic from the good, which takes time, resources and creates outages that ripple across the Internet, as was the case Friday.
Dave Palmer, director of technology at U.K. cybersecurity company Darktrace, said the most recent DDoS attacks have been linked to Internet of Things devices, in particular web cams.
“The joke about the Internet of Things was that you were going to get people hijacking people’s connected fridges to conduct these attacks, but in these recent cases the culprit seems to be webcams,” Palmer said. “We will probably see, when this is investigated, that it is a botnet of the Internet of Things.”
To avoid massive outages, companies ramp up their capacity to try to absorb the deluge of traffic and reroute it, often with the help of a major telecommunications carrier or cloud-services provider like Akamai Technologies Inc. and CloudFlare Inc. But the only way to really prevent denial-of-service attacks may be to increase the overall security level of consumers around the world, Palmer said, a task that is getting harder as more and more devices are connected to the Internet.
“This is exactly what happens when tens of thousands or hundreds of thousands of devices are left unprotected,” Palmer said.