East coast Internet service attacks 'coming in waves'
If you live on the East Coast and had trouble accessing Twitter, Spotify Netflix, Amazon or Reddit Friday morning, you were not alone.
SAN FRANCISCO — Multiple waves of online attacks blocked many major websites Friday, at times making it impossible for many users on the East Coast to access Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit and other sites.
The cause was a large-scale distributed denial of service attack (DDoS) against New Hampshire-based Internet performance company Dyn. The attacks made it difficult for users to access to many popular sites beginning at 7:10 a.m. ET and continued throughout the day.
“It’s a very smart attack. We start to mitigate, they react. It keeps on happening every time. We’re learning though,” said Kyle York, Dyn’s chief strategy officer said on a conference call with reporters Friday afternoon.
The attacks used Mirai, an easy-to-use program that allows even unskilled hackers to take over online devices and use them to launch distributed denial of service, or DDoS attacks. The software spreads via the Internet, taking over DVRs, cable set-top boxes, routers and even Internet-connected cameras used by stores and businesses for surveillance.
The source code for Mirai was released on the so-called dark web at the beginning of the month. Those are sites that require specific software or authorization to access and that operate as a sort of online underground for hackers. The release led some security experts to suggest it would soon be widely used by hackers. That appears to have happened in this case.
The Mirai botnet harnesses the computing power of Internet connected devices as the engine behind its denial of service attacks. These devices then flood a particular site or service with large amounts of fake traffic, overwhelming the system and making it impossible for legitimate messages to get through.
Using malicious software that often infects a home through email, the Mirai source code infects and enslaves Internet of things devices thermostats, anything that’s connected to the internet, said York.
That means Dyn is getting “tens of millions” of messages from around the globe sent by seemingly harmless but Internet-connected devices.
“It could be your DVR, it could be a CCTV camera, a thermostat. I even saw an Internet connected toaster on Kickstarter yesterday. It’s important for folks to think about that,” said York.
The complexity and breadth of the attack points makes it extremely difficult to fight because it's hard to distinguish legitimate traffic from botnet traffic.
York said the company had been buoyed by a tremendous outpouring of aid from its customers, competitors and law enforcement. “You guys wouldn’t believe the amount of support we’ve received,” he said.
Effects felt nationwide
The first attacks appear to have begun around 7:10 a.m. Friday, then resolved towards 9:30 a.m.. Then waves began. "It's been a hectic day," said York.
Dyn posted on its website that it "began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure."
White House Press Secretary Josh Earnest said the Department of Homeland Security was “monitoring the situation" but that “at this point I don’t have any information about who may be responsible for this malicious activity.”
Who and why unknown
So far Dyn has not been able to ascertain whether the attack is aimed at any specific customer. “We have no reason to believe it is at this point,” said Dave Allen, the company’s general counsel.
The attack is “consistent with record-setting sized cyberattacks seen in the last few weeks,” said Carl Herberger, vice president of security at security company Radware.
Disruption
A post on Hacker News first identified the attack and named the sites that were affected. Several sites, including Spotify and GitHub, took to Twitter this morning to post status updates once the social network was back online.
Twitter users similarly took to the service to keep lists of which sites were down and comment on the situation. The term DDoS quickly vaulted to among the top of the site's list of "Trending Topics" in the United States.
"DDoS attack this morning takes out Reddit, Twitter & Spotify," wrote user @Anubis8. "Work productivity increases by 300%."
"Anyone else having a whole lot of trouble with sites loading properly this morning?," tweeted Emmy Caitlin. "Paypal is down, Twitter was down, Netflix half loading."
How the attack works
As part of its business, Dyn provides DNS services for a given swath of the Internet, effectively its address book. DNS stands for Domain Name System, the decentralized network of files that list the domain names human beings use, such as usatoday.com, with their numeric Internet Protocol addresses, such as 184.50.238.11, which is how computers look for websites.
"If you go to a site, say yahoo.com, your browser needs to know what the underlying Internet address that’s associated with that URL is. DNS is the service that does that conversion,” said Steve Grobman, chief technology officer for Intel Security.
The attack hit the Dyn server that contains that address book. Dyn provides that service to multiple Internet companies. For anyone linked to a computer that used the service, when they entered twitter.com or tumblr.com or Spotify.com, via a complex series of jumps the address book is able to tell their browser which numerical IP address to look at.
The DDoS attack floods that server with illegitimate requests, so many that very few real requests can get through. The user gets a message that the server is not available. Service is intermittent because a few requests are sometimes still able to go through.
In addition, many sites keep cached address books their computers can refer to. However those caches always have a time limit on them and when that “time to live” expires, they must go back to the DNS server to confirm the IP address is valid. If the DNS server is unavailable, a site that was working could suddenly stop being available, said Grobman.
This Distributed Denial of Service attack directed at a large financial institution is one of the largest ever recorded.
No comments:
Post a Comment