If you’re located in the Eastern United States, odds are good that you’ve noticed that the internet is a little ragged today. On Friday morning, a distributed denial of service attack against the company Dyn brought down websites and apps across the internet, temporarily barring access to Twitter, Pinterest, WhatsApp, and more for millions of users. While Dyn was able to stabilize the situation within a few hours, a second DDoS attack began in the early afternoon, again disrupting services across the web.
Dyn provides domain name system services, translating common internet addresses into machine-legible information that ensures you get to where you’re trying to go on the web. So every request you make for a website has to go through a DNS server. (If you want a more detailed explanation for how DNS works, here's one from Verisign, another company that works in this space.) As Lily Hay Newman explains in Wired, DDoS attacks against DNS services are effective because “an attacker can take out the entire Internet for any end user whose DNS requests route through a given server.” That is, they can bring down entire swaths of the internet, not just individual sites.
Some initial speculation (including ours here at Future Tense) suggested that the problems might have originated with an Amazon Web Services data center in Northern Virginia. That now appears to be only partly true. An early afternoon update to the AWS service health dashboard claimed that the problems had been resolved. Amazon did not directly point to Dyn, instead more ambiguously acknowledging, “The root cause was an availability event that occurred with one of our third party DNS service providers.” That provider is presumably Dyn.
In the same update, Amazon claims that it has resolved the incident, and asserts that “all security controls continued to operate normally” throughout. Despite that, it states, “Customers that independently utilize the third party DNS service provider may continue experiencing errors resolving DNS names hosted with that provider.” In other words, there may still be problems, but Amazon doesn’t take any responsibility for them.
Significantly, we don’t yet know who perpetrated the attacks against Dyn or why. While Reuters reports that both U.S. Homeland Security and the Federal Bureau of Investigation are looking into the situation, they don’t name any suspects or otherwise indicate who is being investigated.
The security researcher Brian Krebs brings up one possibility in a blog post.* Krebs notes that the initial attack unfolded “just hours after DYN researcher Doug Madory presented a talk on DDoS attacks.” (You can listen to that talk here, though it’s quite technical.) Notably, that talk tied back to earlier work by both Krebs and Madory on DDoS extortion. Krebs is careful to insist that we can’t confirm this connection with any certainty. For maybe the first time this year, though, criminal revenge seems just a little more likely than state-sponsored hackers.
We will update this post as more information becomes available.
Update, Oct. 21, 4:35 p.m.: While we still don't know who is behind the attacks, their methodology seems increasingly clear. Citing Flashpoint, a security intelligence firm, Forbes reports that the attackers appear to have used a Mirai botnet against Dyn.
Mirai botnets exploit Internet of Things devices, taking advantage their frequently low security to employ them in DDoS offensives. In late September, someone going by the handle Anna-senpai released Mirai's source code, and the number of attacks employing it have apparently risen in the subsequent weeks.
In an update to his initial blog post about the attacks, Krebs writes, “I have heard from a trusted source who’s been tracking this activity and saw chatter in the cybercrime underground yesterday discussing a plan to attack Dyn.”
Update, Oct. 22, 10:47 a.m.: In a new blog post published Friday night, Krebs laid out and further expanded on Flashpoint’s findings. Krebs writes that according to the firm, the majority of the compromised devices employed in the attack were digital video recorders and cameras produced by a Chinese company called XiongMai Technologies.
Many of these devices reportedly have passwords “hardcoded into the firmware,” according to Flashpoint research developer Zach Wikholm. Even if a user changes the default username and password on their purchase, these alternate access points persist. It can be difficult for the end user to even detect such vulnerabilities in a device—and may be all but impossible for an individual to correct them.
To put that plainly, the problem here probably wasn’t with personal cybersecurity. Instead, it’s that companies are manufacturing devices that weren’t secure in the first place and probably can’t be secured after the fact. As Krebs explains, this is all the more worrisome, because the compromised devices are simply out there. Short of a “global cleanup effort” to pull them out of circulation, we’ll likely see more attacks like the one against Dyn in the days and months ahead.
*Correction, Oct. 21, 2016: This post originally misspelled Brian Krebs’ last name.