Millions of internet users lost access to some of the world’s most popular websites Friday, as hackers hammered servers along the US East Coast with phony traffic until they crashed, then moved westward. A global attack on one provider of Domain Name System services, Dyn Inc., took down sites including Twitter, Spotify, Reddit, CNN, Etsy and The New York Times for long stretches of time — from New York to Los Angeles. Kyle York, chief strategy officer of Dyn, said the hackers launched a so-called distributed denial-of-service (DDoS) attack using “tens of millions” of malware-infected devices connected to the internet. Speaking during a conference call Friday afternoon, York said Dyn was “actively” dealing with a “third wave” of the attack.
By Friday evening, Dyn said it had stopped the hacks. “As you can imagine it has been a crazy day,” Dyn spokesman Adam Coughlin wrote in an e-mail. “At this moment (knock on wood) service has been restored.”
Security professionals have been anticipating an increase in attacks coming from malware that targets the “Internet of Things,” a new breed of small gadgets that are connected to the internet. That was after a hacker released software code that powers such malware, called Mirai, several weeks ago.
Gillian M. Christensen, a spokeswoman for the Department of Homeland Security, said the agency and the FBI is aware of the incidents and “investigating all potential causes.”
Dyn first reported site outages relating to the DDoS attack around 7:10 AM New York time. The company restored service two hours later, but was offline again around noon, as another attack appeared to be underway, this time affecting the West Coast as well. While DDoS attacks don’t steal anything, they create havoc across the internet — and are on the increase in volume and power.
Sites were affected as far away as Australia by a second wave of attacks that began at around 1 AM Sydney time on Saturday and lasted about five hours, said Dave Anderson, a London-based vice president of marketing at Dynatrace LLC, which monitors the performance of websites. At the peak of the attack, average DNS connect times for 2,000 websites monitored by Dynatrace went to about 16 seconds from 500 milliseconds normally.
“I have never seen severity this big, impacting so many sites and lasting over such a prolonged period of time,” Anderson said in a telephone interview. “It just shows how vulnerable and interconnected the world is, and when something happens in one region, it impacts every other region.”
Dynatrace’s analytics aren’t able to trace the source of the attacks, Anderson said.
Earlier Friday in the US, Brian Krebs, a well-known journalist covering computer security, wrote that the timing of the attacks corresponded with the release of research conducted by Dyn’s director of internet analysis. Dyn highlighted potential connections between firms that offer to protect against DDoS attacks, and the hackers who conduct them. Krebs’s own website faced an “extremely large and unusual” DDoS attack after he published a story based on the same research, he said.
“We can’t confirm or even speculate on anyone’s motivation or relation to that research,” said Dave Allen, Dyn’s general counsel.
With attacks on the internet’s Domain Name System, hackers compromise the underlying technology that governs how the web functions, making the hack far more powerful and widespread.
The DNS translates website names into the Internet Protocol addresses that computers use to look up and access sites. But it has a design flaw: Sending a routine data request to a DNS server from one computer, the hacker can trick the system into sending a monster file of IP addresses back to the intended target. Multiply that by tens of thousands of computers under the hackers’ control, and the wall of data that flooded back is enormous. A small server may be capable of handling hundreds of simultaneous requests, but thousands every minute cause overload and ultimately shut down, taking the websites it hosts offline with it.
The practice often is employed by groups of hackers. In 2012, a DDoS attack forced offline the websites of Bank of America Corp., JPMorgan Chase & Co., Citigroup Inc., Wells Fargo & Co., U.S. Bancorp and PNC Financial Services Group Inc.
A DDoS can be achieved in a number of ways, but commonly involves a distributed network of so-called “zombie” machines, referred to as botnets. A botnet is formed with computers and other connected devices in homes or offices infected with malicious code which, upon the request of a hacker, can flood a web server with data. One or two machines wouldn’t be an issue, but if tens or hundreds of thousands fire such data simultaneously, it can cripple even the most sophisticated web servers.
In the case of the Dyn incident, the computers targeted were DNS servers. Without a DNS server, large numbers of websites are inaccessible by users across a country or even the world. In other words, taking away the DNS servers is like taking away all the road signs on a country’s highway system.
Single Company Targeted
So-called “authoritative” DNS providers like Dyn are notoriously hard to secure. Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company, likens “authoritative” DNS providers to hospitals, which must admit anyone who shows up at the emergency room. Dyn must consider traffic going to a website as initially legitimate. In the event of a DDoS, Dyn must work quickly to sort out the bad traffic from the good, which takes time and resources, and creates outages that ripple across the internet, as was the case Friday.
Dave Palmer, director of technology at UK cybersecurity company Darktrace, said the most recent DDoS attacks have been linked to Internet of Things devices, in particular web cams.
“The joke about the Internet of Things was that you were going to get people hijacking people’s connected fridges to conduct these attacks, but in these recent cases the culprit seems to be webcams,” Palmer said. “We will probably see, when this is investigated, that it is a botnet of the Internet of Things.”
To avoid massive outages, companies ramp up their capacity to try to absorb the deluge of traffic and reroute it, often with the help of a major telecommunications carrier or cloud-services provider like Akamai Technologies Inc. and CloudFlare Inc. But the only way to really prevent denial-of-service attacks may be to increase the overall security level of consumers around the world, Palmer said, a task that is getting harder as more and more devices are connected to the Internet.
“This is exactly what happens when tens of thousands or hundreds of thousands of devices are left unprotected,” Palmer said.