Hackers temporarily shut down internet users’ websites on Friday morning along the east coast in what experts said was a coordinated and oddly timed attack on a particular domain name server provider.
Dyn Inc. reported a distributed denial of service, or DDoS, attack around 7:10 a.m. that left millions of people without access to Twitter, Spotify, Reddit, and the New York Times, among other sites. Dyn resumed service at 9:20 a.m., but was offline again around noon as another attack, also affecting the west coast, appeared to be in progress.
DDoS attacks against companies like Dyn, which make it easier to load web pages, have recently increased in size and intensity. The most recent comes the day after Doug Madory, director of internet analytics at Dyn, gave a presentation at an industry conference on his research into questionable practices at BackConnect Inc., a company that offers web services, including helping customers deal with DDoS attacks. According to Madory, BackConnect has regularly spoofed Internet addresses through a technique known as BGP hijacking, an aggressive tactic that pushes the boundaries of the industry.
Madory’s research was conducted with Brian Krebs, a well-known writer on computer security issues. Krebs also published a research-based article last month. Within hours, his website was hit by an “extremely large and unusual” DDoS attack, he wrote.
The barrage is likely to have originated in a large amount of poorly secured devices such as internet-connected cameras, routers and digital video recorders, according to an analysis of the attack at the Krebs site. These devices, collectively referred to as the Internet of Things, have been the source of a growing number of attacks since early 2015, Flashpoint and Level 3 Threat Research Labs said in a report released last month.
BackConnect denied having any connection to the incident involving Krebs’ website and did not immediately respond to a request for comment on Friday. Krebs wrote on his blog Friday that he had no evidence that the attacks on Dyn were related to Madory’s research. Dyn did not respond to requests for comment on Friday.
With attacks on Internet domain name servers, hackers are compromising the underlying technology that governs the functioning of the web, making hacking much more powerful and widespread.
DNS translates website names into Internet Protocol addresses that computers use to find and access sites. But it has a design flaw: By sending a routine data query to a DNS server from a computer, the hacker can trick the system into sending it a monster file of IP addresses to the intended target. Multiply that by tens of thousands of computers under the control of hackers, and the wall of data that poured in was huge.
A small server may be able to handle hundreds of simultaneous requests, but thousands every minute cause overload and end up shutting down, taking the websites it hosts offline with it.
The practice is often employed by groups of hackers. In 2012, a DDoS attack forced the Bank of America Corp., JPMorgan Chase & Co., Citigroup Inc., Wells Fargo & Co., US Bancorp, and PNC Financial Services Group Inc. websites offline.
DDoS can be accomplished in a number of ways, but typically involves a distributed network of so-called “zombie” machines, called botnets. A botnet is made up of personal computers in homes or offices infected with malicious code that, at the request of a hacker, can start flooding a web server with data. One or two machines wouldn’t be a problem, but tens or hundreds of thousands of people triggering such data simultaneously can be enough to cripple even the most sophisticated web servers.
In the case of the Dyn incident, the targeted computers were DNS servers. Without a DNS server, these translations cannot take place, potentially rendering a large number of websites inaccessible to users across a country or even the world. In other words, removing DNS servers is like removing all traffic signs from a country’s road network.
“I suspect that only one company is under attack, and all other users of the same service are also experiencing outages,” said Carl Herberger, vice president of security solutions at Radware, an Internet security company based in Israel. “This would explain the attack why other authoritative services were not attacked.”
Yet so-called authoritative DNS providers like Dyn are notoriously difficult to secure. Herberger compares them to hospitals, which must admit anyone who presents to the emergency room. Dyn should treat traffic to a website as initially legitimate. When a DDoS attack is launched, Dyn must work quickly to sort the bad traffic from the good, which takes time, resources and creates outages that spill over to the internet.
Dave Palmer, chief technology officer at UK cybersecurity firm Darktrace, said the most recent DDoS attacks have been linked to IoT devices, especially webcams.
“The Internet of Things joke was that you were going to get people to hijack people’s smart fridges to carry out these attacks, but in these recent cases the culprit seems to be the webcams,” Palmer said. “We will likely see, when this is investigated, that this is an Internet of Things botnet.”
To mitigate these attacks, companies are increasing their capacity to try to absorb the deluge of traffic and redirect it, often with the help of a large telecom operator or cloud service provider like Akamai Technologies Inc. and CloudFlare Inc. actually preventing denial of service attacks can be about increasing the overall level of security for consumers around the world, a task that becomes increasingly difficult as more devices are connected to the Internet.
“This is exactly what happens when tens of thousands or hundreds of thousands of devices are left unprotected,” Palmer said.