Yesterday, people in certain geographical regions found themselves unable to access popular sites like Twitter, Amazon, Spotify, Netflix, PayPal and many more. These outages were the result of a DDoS attack by a massive botnet, or possibly multiple botnets working together. The attack didn’t directly target any of the sites mentioned above, but instead targeted Dyn, a provider of DNS services.
The Domain Name System is a key element that allows the Internet to function. When someone types in an easily remembered web address (like TechRaptor.net), a domain name server will convert that name into an IP address. When Dyn was faced with a DDoS attack, it was unable to provide its services to legitimate traffic. Sites which relied on Dyn to resolve their domains were inaccessible to some users as a result. More than 1200 domains were affected by this attack.
The attacks against Dyn came in multiple waves. The first wave targeted data centers in Chicago, New York, and Washington, D.C. This primarily affected people in the northeastern United States, since DNS lookups are routed to the closest data center. However, a second wave targeted twenty data centers and disrupted Dyn’s services around the world. After the second wave was resolved, Dyn was hit by a third wave. “What they’re actually doing is moving around the world with each attack,” Dyn Chief Strategy Officer Kyle York said in a conference call.
The attack relied, at least in part, on the Mirai botnet. This is a botnet made up of internet enabled devices like thermometers, toasters, DVRs, security cameras and other devices people might have around their homes and businesses, which have been infected with a specific strain of malware. These devices have poor security to say the least, with some only using a hardcoded username and password as protection. In many cases, it is impossible for the user to change that password or otherwise improve the security of the device, and the only sure way to keep them from becoming part of a botnet is to disconnect them from the Internet.
It is believed that there are around 500,000 devices connected to the internet which are infected with the Mirai malware. About 10% to 20% of that number participated in the attack on Dyn. It is also believed that devices from other botnets also participated in the attack. Dyn called the attack well executed and stated that it was hit with requests from tens of millions of IP addresses at the same time.
The Department of Homeland Security said it is looking into the attack, and one intelligence official told CNBC that North Korea has been ruled out as a possible culprit. Another official stated that this is likely a case of Internet vandalism and not a state-sponsored attack. Dyn says it has not heard from the attackers and has no idea who is responsible.