What happened to my internet? I was all set this morning to get angry over things said by people I don’t know about things I can’t change, but my favorite sites weren’t loading. Did you do this, Ecuador?
It probably wasn’t Ecuador. The apparent reason many popular web sites like Twitter, Spotify, Reddit, et. al. weren’t loading is because of a networked attack on Dyn, the company that provides these websites with domain name servers.
“Networked attack?” you are saying. “Dyn? What is all this?” Allow me to explain.
When you type in the URL of a website—let’s say “Fusion.net” for example—there isn’t actually a direct line between those words and the corresponding website. What your computer really needs is the Internet Protocal (IP) address of Fusion.net. Every computer and server on the Internet has an IP address. It’s sort of like a phone number.
To find Fusion.net’s IP address, your internet provider checks with a series of domain name servers (DNS) to look it up. Without a DNS in place, users never even make it to a website in the first place, so web-based businesses usually pay a third party service, sometimes more than one, to provide this for extra security.
Dyn is one of those companies. Started by a group of students at Worcester Polytechnic Institute in 2001, it now provides DNS services for some of the top Internet brands. It announced on its status page that at 7:10 a.m. EST, it was hit by a distributed denial-of-service attack, or a DDoS.
“Distributed denial-of-service-attack????” you may be saying right now. Don’t worry! I’m still explaining.
The DDoS is one of the oldest, but still effective, ways to attack a web service. So many requests are sent to a web service, like a DNS server, that it either gets bogged down or crashes trying to fulfill them all. While there are examples of accidental DDoS, they almost always are an attack from someone trying to take a web service down, whether it’s hacktivists, foreign governments, or an unknown source. The DNS server doesn’t know the intent of the requests coming in is hostile. It’s just trying to be a good computer and do everything being asked of it. A successful DDoS attack asks too much.
These days, you can only really manage an attack like this through the use of a botnet, which is a group of computers that have all been infected with malware and are following the orders of a central command and control server. This is where the “distributed” in “distributed denial of service” comes from. From the DNS server’s point of view, these requests are coming in from all over the world, making them harder to block.
And botnets aren’t just computers these days. When internet security journalist Brian Krebs was hit with a record DDoS attack last month, he found that the botnet targeting him consisted of many “internet of things” devices, which have notoriously poor security. Your smart refrigerator could be helping to take down the internet.
The good news is that Dyn announced as of 9:20 a.m. EST that its services had returned to normal. So I’m gonna end this post now. I got a lot of tweets to catch up on.
UPDATE: As of 11:52 a.m. EST, Dyn reports the DDOS attack has resumed, so I guess my Twitter feuds will have to wait.
UPDATE: On Friday afternoon, Dyn told CNBC the onslaught has entered a third wave of DDoS attacks. The company went on to say it does believe a botnet of compromised internet-of-things devices, small internet-enabled household appliances like we mentioned earlier, is responsible.
Security firm Flashpoint believes the attack is originating from devices infected with the Mirai malware, which also was responsible for the record-breaking attack on journalist Krebs that required him to host his site on Google for protection. But who is behind the attack and what their motives are remains a mystery.