Popular websites knocked down by IoT-enabled DDoS attack
Video cams, DVRs used to disrupt Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal
By Bob Sullivan, ThirdCertainty
An army of infected gadgets—such as nanny cameras—overwhelmed a critical Internet service provider on Friday, Oct. 21, knocking many large Internet companies offline. The firm at the middle of the attack, New Hampshire-based Dyn, reported repelling three waves of attacks over about a 12-hour period.
In a conference call with reporters Friday, the firm said an army of infected Internet of Things devices flooded its services with traffic. As a result, traffic was coming to the firm from “tens of millions of IP addresses at the same time,” the firm said.
The result was that Internet users for most of Friday could not consistently access to Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal and other popular sites.
Related video: As Internet of Things expands, so do security exposures
Computer security firm Flashpoint reported that Dyn was the victim of an attack orchestrated by criminals using malicious software called Mirai. It searches the Internet looking for gadgets that are protected only by default passwords or simple passwords, infects them, and then assembles them into a botnet that can be used for attacks like this.
The source code for Mirai was made public earlier this month. And last week, Threatpost reported that the number of Mirai-infected devices had, predictably, soared since the release.
“The number of compromised CCTV cameras, DVRs, home-networking equipment overrun by Mirai has more than doubled from 213,000 to 493,000,” it said.
All those compromised “smart” locks and refrigerators could be used to attack a computer server by overwhelming it with requests, which is apparently what happened to Dyn. The firm described the attack as sophisticated and well planned.
What they actually did was move “around the world with each attack,” said Dyn Chief Strategy Officer Kyle York, as reported by CNBC Friday.
Dyn offers managed Domain Name Service hosting, which allows companies to geographically disperse their critical DNS services. DNS is the Internet’s addressing system, connecting cryptic IP addresses to common names like BobSullivan.net. DNS can be a bottleneck, so some larger websites outsource DNS services to firms like Dyn.
The attack occurred as a tense election season is drawing to a close and rhetoric about potential hacking incidents impacting the presidential campaign continues to escalate. There was no evidence to connect this attack to the election, but jittery voters drew the inference anyway.
Reading Dyn’s normally dry network status page provides a melodramatic look at how Friday’s events unfolded.
The day began with:
“Starting at 11:10 UTC on October 21st-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time.”
Then, “This attack is mainly impacting US East and is impacting Managed DNS customers in this region.”
Two hours later, “Services have been restored to normal.”
But not so fast.
“As of 15:52 UTC, We have begun monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure.”
Still, by 3 p.m. East Coast time, the firm hadn’t wrestled the attack to the ground.
“Our engineers are still investigating and mitigating the attacks on our infrastructure.”
Stories related to cloud security and the Internet of Things:
Worm burrows into, infects wireless ISPs, Internet of Things
Data security even more critical as Internet of Things multiplies, morphs
Ripples from Internet of Things create sea change for security, liability