Oct. 21 — Hackers Oct. 21 temporarily shut down access to websites for internet users along the U.S. East Coast, in what industry professionals say was a coordinated and curiously timed attack on one particular Domain Name Server (DNS) provider.
Dyn Inc. reported a distributed denial-of-service (DDoS) attack at around 7:10 a.m. New York time, which left millions of people without access to Twitter, Spotify, Reddit and The New York Times, among other sites. Dyn restored service at 9:20 a.m. but was offline again at around noon, as another attack appeared to be underway, also affecting the U.S. West Coast.
DDoS attacks on companies like Dyn, which facilitate the loading of web pages, have increased recently in both size and intensity. The latest comes the day after Doug Madory, director of Internet Analysis at Dyn, gave a presentation at an industry conference about research he had done on questionable practices at BackConnect Inc., a firm that offers web services, including helping clients manage DDoS attacks. According to Madory, BackConnect had regularly spoofed internet addresses through a technique known as a BGP hijack, an aggressive tactic that pushes the bounds of industry.
Madory’s research was conducted with Brian Krebs, a well-known writer on computer-security issues. Krebs also published an article based on the research last month. Within hours, his website was hit by a “extremely large and unusual” DDoS attack, he wrote.
The barrage likely originated with a large amount of poorly secured devices such as internet-connected cameras, routers and digital video recorders, according to an analysis of the attack on Krebs’s site. These devices, collectively referred to as the internet of things, have been the source of an increasing number of attacks since early 2015, Flashpoint and Level 3 Threat Research Labs said in a recent report.
BackConnect has denied having any connection with the incident involving Krebs’s website, and didn’t immediately respond to a request for comment. Krebs wrote on his blog Oct. 21 that he had no evidence that the attacks on Dyn were related to Madory’s research. Dyn didn’t respond to requests for comment.
With attacks on the DNS, hackers compromise the underlying technology that governs how the web functions, making the hack far more powerful and widespread.
The DNS translates website names into the internet protocol addresses that computers use to look up and access sites. But it has a design flaw: sending a routine data request to a DNS server from one computer, the hacker can trick the system into sending a monster file of IP addresses back to the intended target. Multiply that by tens of thousands of computers under the hackers’ control, and the wall of data that flooded back was enormous.
A small server may be capable of handling hundreds of simultaneous requests, but thousands every minute cause overload and ultimately shut down, taking the websites it hosts offline with it.
The practice often is employed by groups of hackers. In 2012, a DDoS attack forced offline the websites of Bank of America Corp., JPMorgan Chase & Co., Citigroup Inc., Wells Fargo & Co., U.S. Bancorp and PNC Financial Services Group Inc.
A DDoS attack can be achieved in a number of ways, but commonly involves a distributed network of so-called “zombie” machines, referred to as botnets. A botnet is formed of personal computers in homes or offices infected with malicious code which, upon the request of a hacker, can start flooding a web server with data. One or two machines wouldn’t be an issue, but tens or hundreds of thousands fire such data simultaneously can be enough to cripple even the most sophisticated of web servers.
In the case of the Dyn incident, the computers targeted were DNS servers. Without a DNS server, those translations can’t take place, potentially rendering large numbers of websites inaccessible by users across a country or even the world. In other words, taking away the DNS servers is like taking away all the road signs on a country’s highway system.
Single Company Targeted
“I would suspect there was a single company being attacked, and everybody else who was on the same service also experience outages,” Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company, said. “That would explain attack why other authoritative services were not being attacked,” he said.
Yet authoritative DNS providers like Dyn are notoriously hard to secure. Herberger likens them to hospitals, which must admit anyone who shows up at the emergency room. Dyn must consider traffic going to a website as initially legitimate. When a DDoS attack is launched, Dyn must work fast to sort out the bad traffic from the good, which takes time, resources and creates outages that ripple across the internet.
Dave Palmer, director of technology at U.K. cybersecurity company Darktrace, said the most recent DDoS attacks have been linked to Internet of Things devices, in particular web cams.
“The joke about the internet of things was that you were going to get people hijacking people’s connected fridges to conduct these attacks, but in these recent cases the culprit seems to be webcams,” Palmer said. “We will probably see, when this is investigated, that it is a botnet of the internet of things.”
To mitigate these attacks, companies ramp up their capacity to try to absorb the deluge of traffic and reroute it, often with the help of a major telecommunications carrier or cloud-services provider like Akamai Technologies Inc. and CloudFlare Inc. But the only way to really prevent denial-of-service attacks may be to increase the overall security level of consumers around the world, a task that is getting harder as more and more devices are connected to the Internet.
“This is exactly what happens when tens of thousands or hundreds of thousands of devices are left unprotected,” Palmer said.
With assistance from Elliott Snyder in New York, Scott Moritz in New York and Michael Riley in Washington