Attacks put huge holes in Web
Many of most popular sites and apps affected by malicious assault
For millions of people on Friday, it felt like someone had pulled the plug on the Internet.
A series of malicious cyberattacks — known as distributed denial of service, or a DDoS attack — took down Dyn, an Internet infrastructure company that, among other things, provides domain name services, online traffic management and email connectivity to hundreds of companies. (See sidebar for more.)
That meant that beginning around 4 a.m. Pacific time, Web traffic to companies that use Dyn to operate their sites came screeching to a stop.
The attack may turn out to be among the biggest in history, as mounting evidence pointed to similarities between Friday’s attack and a recordsetting assault last month that shut down the website of a security journalist using compromised devices from the so-called Internet of Things.
Any number of devices — including televisions, smart watches, alarm clocks, vacuum cleaners, children’s toys and anything else with an Internet connection — are vulnerable to being infected and, without their owners’ knowledge, used in that kind of attack.
It was, security experts said, a reminder to many of how vulnerable the Internet can be, and supported fears that
DDoS attacks may be growing stronger in their ability to shut down wide swaths of the Internet with a single, targeted strike.
The Federal Bureau of Investigation and U.S. Department of Homeland Security were monitoring the situation, White House spokesman Josh Earnest told reporters Friday. He said he had no information about who may be behind the disruption, and no one immediately came forward to claim responsibility or demand cash in exchange for a cease-fire. (Extortion is a common motivation for such attacks.)
One thing security experts could say with certainty was that the assault on Dyn was no ordinary DDoS attack. It was much, much bigger.
“Typically, DDoS attacks are targeted at single websites, not a big DNS hosting provider. So, one website is unavailable for a while. This Dyn attack took an untold number of very popular sites out, including GitHub, which many software companies use for hosting code. The scope is much bigger than the usual attack,” said Brian White, chief operating officer of security firm Red Owl Analytics. “Taking out one DNS provider can affect thousands and thousands of websites, turning big sections of the Internet black for a while. Without DNS the Internet goes dark.”
Dyn and other DNS providers link the letters of a website’s URL (such as www.sfchronicle.com) to its numerical IP address.
DDoS attacks launch large quantities of phony traffic — usually co-opted from hacked devices — at a company’s servers in order to overload the system and shut down its ability to respond to real users.
Friday’s attack, which was characterized as malicious by the White House, targeted New Hampshire-based Dyn and impacted Internet users across the country.
The reach and economic impact of the shutdown was not immediately clear. Many companies have contingency plans in place to offset the damage done by such an outage.
But customers and small businesses that rely on websites like Twitter or Etsy to do business are the most affected. Unless the website or app they use can reroute its operations and get back online, there’s nothing a customer can do but sit and wait.
“I am pulling my hair out trying to figure out what I am going to do because I lost an entire day of work,” said Taylor Nikolai, CEO of Viral Spark, which does social media consulting. “I had a lot of things scheduled out today and I don’t know what’s happening.”
For some, Twitter was down nearly half the day.
The list of affected companies included some of the most frequented websites online: Amazon, Netflix, Twitter, Kayak, Spotify, Airbnb, Reddit, SoundCloud, Shopify, GitHub and Etsy.
It shut down Web operations at local companies, like San Francisco office catering firm Zesty and customer service provider Zendesk.
And it stopped traffic to news outlets like the Boston Globe, CNN, Wired and the New York Times.
Dyn said the onslaught of junk traffic crippling its servers seemed to be coming from tens of millions of IP addresses from around the world.
Several security firms pointed out that the attack was reminiscent of a record-sized attack launched against cybersecurity journalist Brian Krebs’ website last month.
Typically in a DDoS attack, hackers will deploy a botnet, or a network of computers infected with malicious software (or malware), to route phony traffic to a certain site or server with the intent of shutting it down.
The attack on Krebs’ website was slightly different in that the specific botnet used, known as Mirai, was built using infected devices like Internet-enabled cameras. Devices that are a part of the so-called Internet of Things are notoriously susceptible to malware.
Security firm Flashpoint reported on Friday that there was evidence that a Mirai botnet had been used in the attack on Dyn.
“There are a number of reasons why someone might want to do this,” said Jeremiah Grossman, SentinelOne’s chief of security strategy. “The easiest one is they’re just jerks — and that’s not uncommon. Reason No. 2 is extortion, though that doesn’t seem to be the case here. Reason No. 3 is maybe you’re just stretching your legs, trying to figure out what you’re capable of.”
Friday’s first major assault lasted about two hours. A second attack began just before 9 a.m. and lasted about an hour. A third began sometime in the early afternoon.
In the midst of the attack, WikiLeaks’ official Twitter account sent out a message to its “supporters” calling for restraint. It was not immediately clear if, or how, WikiLeaks or its supporters may have been involved in the attack.
WikiLeaks founder Julian “Assange is still alive and WikiLeaks is still publishing,” the tweet said. “We ask supporters to stop taking down the U.S. Internet. You proved your point.”
(The Ecuadoran government cut off Assange’s Internet access this week at its London Embassy, where he has asylum.)
“DDoS remains a popular protest attack,” White said. “Most attacks today are de-
signed to avoid detection and steal information, but DDoS is a very public demonstration. Though we don’t yet know the intention or a perpetrator, this attack was clearly designed to grab attention.”
Amazon, Zendesk and other companies rerouted their domain operations through different service providers to mitigate the damage from the attacks on Dyn.
“Today we had a disruption across Zendesk that was caused by a widespread distributed denial of service attack against our DNS provider Dyn. Like for many companies, this interfered with our customers being able to access our products and services,” Zendesk said in a statement. “We were able to recover quickly because we have a secondary provider in place, and all of our services are now available.”
Local in-office catering startup Zesty said the midday outage prevented some customers from viewing its online menus, but it was able to maintain service by switching to phone communication, rather than relying on its website.
While the first attack largely impacted Internet users on the East Coast, subsequent assaults appeared wider-reaching, with people in California and other parts of the U.S. reporting connectivity issues, as well as some in parts of Europe and Asia, according to several outage monitoring sites.
Some companies continued to experience ongoing connectivity problems throughout the day as Dyn engineers worked to investigate and counter the numerous attacks aimed at the company’s infrastructure.
“DNS is one of the key, core infrastructures of the Internet,” said Robert Graham, CEO of Errata Security. “And we still don’t take it seriously. … That’s kind of stupid.”