Why the Web went down: DNS and DDoS explained
For hours Friday, users around the country had trouble accessing websites and apps like Twitter, Spotify and Reddit. The reason: an electronic attack on Dyn, a firm that hosts domain servers.
Domain Name System (DNS) servers are key to directing traffic on the Internet. The servers take in Web addresses typed by users, like www.twitter.com, translate them into numerical addresses computers understand, and route them to the sites they seek. When those servers get bogged down by attacks, they are unable to direct Internet traffic to the appropriate sites. Almost every online operation depends on DNS functioning correctly.
“They are kind of like the address book of the Web,” said Rob Enderle of advisory services firm Enderle Group. “DNS servers are critical. Without them, if they are knocked out and fail, you’re disconnected.”
Enderle said there is not as much money to be made in attacking DNS servers as in other types of attacks, like ransomware. But one reason people target the servers is for the spectacle of causing major disruption. For example, if a country believes a hostile government is threatening it with attack, the country could disrupt DNS servers, to show that the hostile government is vulnerable as well, Enderle said.
The specific attack used is known as a distributed denial of service, or DDoS, attack. A typical distributed denial of service attack aims to overwhelm websites with traffic. Usually, a specific website or company is targeted. The idea is that if enough traffic is sent to them, they will be inaccessible.
Hackers start by building networks of computers infected with malicious software — botnets, or networks of machines that have been “botted,” or taken over so they can be remotely controlled without their owners knowing. Increasingly, it’s not just computers and smartphones that are being used. Household devices, toys and other machines connected to the Internet are being taken over and used to send spurious traffic.
These botnets are bought and sold on the black market. Someone can buy a weeklong DDoS attack for as little as $150. DDoS attacks are more common than one might imagine. Digital Attack Map, a Googlebacked site, reports that more than 2,000 DDoS attacks are observed every day. A third of all website downtime can be attributed to DDoS attacks.
Attacks are launched in several ways, but they fall into four categories: TCP connection attacks that attempt to use up all the available connections to a source; volumetric attacks, which aim to consume available bandwidth and thus cause enough congestion to slow or limit access to a site or sites; fragmentation attacks, where the botnets send a flood of fragmented data that the target must try to reassemble, overwhelming its ability to do so; and application attacks that try to overwhelm a specific part of an application or service. Friday’s DNS attacks appear to be in that last category.
“They are kind of like the address book of the Web.” Rob Enderle of advisory services firm Enderle Group