Ridiculously easy: How hackers took down the internet on Friday

If you live on the East Coast, you probably suffered some sort of internet slowdown yesterday.  That's because of a Distributed Denial of Service (DDoS) attack carried out by as yet unknown party or parties.  The attack targeted Dyn, an internet performance company located in New Hampshire.

A DDoS attack is relatively simple in concept, as this video explains:

The prospect that this will happen again is the stuff of nightmares for cyber-security experts:

USA Today:

As part of its business, Dyn provides DNS services for a given swath of the Internet, effectively its address book. DNS stands for Domain Name System, the decentralized network of files that list the domain names human beings use, such as usatoday.com, with their numeric Internet Protocol addresses, such as 184.50.238.11, which is how computers look for websites. These are computers that contain databases of URLs and the Internet Protocol addresses they represent.

"If you go to a site, say yahoo.com, your browser needs to know what the underlying Internet address that’s associated with that URL is. DNS is the service that does that conversion,”  said Steve Grobman, chief technology officer for Intel Security.

For example, the IP address for yahoo.com is 209.191.88.254.

The attack hit the Dyn server that contains that address book. Dyn provides that service to multiple Internet companies. For anyone linked to a computer that used the service, when they entered twitter.com or tumblr.com or Spotify.com, via a complex series of jumps the address book is able to tell their browser which numerical IP address to look at.

The DDoS attack floods that server with illegitimate requests, so many that very few real requests can get through. The user gets a message that the server is not available. Service is intermittent because a few requests are sometimes still able to go through.

What made this attack unique is that the hackers used hundreds of thousands of "smart" devices like DVRs, "smart" refrigerators and thermostats, and other things connected to the internet in your home to launch a crippling assault on Dyn.  This is made possible by a snippet of code developed by an anonymous hacker that was posted to the internet last month.

Popular Mechanics:

The potential problem has been bubbling up for months, but reached a peak earlier this month when the source code for something called the "Mirai" botnet was released onto the web. Designed to target the Internet of Things specifically, Mirai can scoop up connected devices and add them to a botnet simply by attempting to log into them with their factory-default username and password. Have you changed the password on your smart fridge lately? I thought not.

The Mirai code focuses on all kinds of smart devices including cameras to internet-connected fridges, but its bread and butter is DVRs. Of the nearly 500,000 devices known to be compromised by the Mirai malware, some 80 percent of them are DVRs, according to an in-depth investigation of by Level 3 communications.

These infected DVRs, along with a few thousand other gadgets, can drive ludicrous amounts of traffic. Devices compromised by this malware were responsible for a 620Gbps attack against the security website Krebs on Security in September, the biggest DDoS the world had ever seen, at the time. Reports from the security firm Flashpoint, by way of Brian Krebs, suggest that it is a botnet based on exactly this technology that is responsible for today's outages, and Dyn has since confirmed this suspicion to TechCrunch.

Now comes the scary part.  There is a chance that this was some sort of test run for an election day attack that could throw the U.S. into chaos.

Or it could be some smart kid with a million "zombie" computers at his beck and call who just wants to cause trouble.  The scary thing is that we won't be able to tell the difference when it happens again.

And it will happen again.

Daily Beast:

What has happened over the last few years is businesses have consolidated to professional managed DNS providers, ironically in part due to the difficulty in mitigating denial of service attacks.  This has created new centralized platforms for hackers to target.

And they are being targeted. Within the past month there was a distributed denial of service attack which totalled over 1,000 gigabits per second of traffic. That’s more bandwidth than many countries have. It’s a staggering volume of traffic, multiple times more than anything seen previously. (In 2015, Arbor networks reported what was then the world’s biggest DDoS attack: 334 gigabits per second.)

This is aiming to become the new normal. It is extremely difficult and costly to defend against — only a small number of companies can do it currently.

Homeland Security has been scrambling to harden state election sites from attack, but as yesterday's incident shows, hackers don't even have to break into a system to cause chaos.  We have been sleepwalking into being terribly vulnerable to both evil people and mischevious teenagers.

The arms race between hackers and cyber-security experts is currently being won by the bad guys.  And this is a race we cannot afford to lose.

If you live on the East Coast, you probably suffered some sort of internet slowdown yesterday.  That's because of a Distributed Denial of Service (DDoS) attack carried out by as yet unknown party or parties.  The attack targeted Dyn, an internet performance company located in New Hampshire.

A DDoS attack is relatively simple in concept, as this video explains:

The prospect that this will happen again is the stuff of nightmares for cyber-security experts:

USA Today:

As part of its business, Dyn provides DNS services for a given swath of the Internet, effectively its address book. DNS stands for Domain Name System, the decentralized network of files that list the domain names human beings use, such as usatoday.com, with their numeric Internet Protocol addresses, such as 184.50.238.11, which is how computers look for websites. These are computers that contain databases of URLs and the Internet Protocol addresses they represent.

"If you go to a site, say yahoo.com, your browser needs to know what the underlying Internet address that’s associated with that URL is. DNS is the service that does that conversion,”  said Steve Grobman, chief technology officer for Intel Security.

For example, the IP address for yahoo.com is 209.191.88.254.

The attack hit the Dyn server that contains that address book. Dyn provides that service to multiple Internet companies. For anyone linked to a computer that used the service, when they entered twitter.com or tumblr.com or Spotify.com, via a complex series of jumps the address book is able to tell their browser which numerical IP address to look at.

The DDoS attack floods that server with illegitimate requests, so many that very few real requests can get through. The user gets a message that the server is not available. Service is intermittent because a few requests are sometimes still able to go through.

What made this attack unique is that the hackers used hundreds of thousands of "smart" devices like DVRs, "smart" refrigerators and thermostats, and other things connected to the internet in your home to launch a crippling assault on Dyn.  This is made possible by a snippet of code developed by an anonymous hacker that was posted to the internet last month.

Popular Mechanics:

The potential problem has been bubbling up for months, but reached a peak earlier this month when the source code for something called the "Mirai" botnet was released onto the web. Designed to target the Internet of Things specifically, Mirai can scoop up connected devices and add them to a botnet simply by attempting to log into them with their factory-default username and password. Have you changed the password on your smart fridge lately? I thought not.

The Mirai code focuses on all kinds of smart devices including cameras to internet-connected fridges, but its bread and butter is DVRs. Of the nearly 500,000 devices known to be compromised by the Mirai malware, some 80 percent of them are DVRs, according to an in-depth investigation of by Level 3 communications.

These infected DVRs, along with a few thousand other gadgets, can drive ludicrous amounts of traffic. Devices compromised by this malware were responsible for a 620Gbps attack against the security website Krebs on Security in September, the biggest DDoS the world had ever seen, at the time. Reports from the security firm Flashpoint, by way of Brian Krebs, suggest that it is a botnet based on exactly this technology that is responsible for today's outages, and Dyn has since confirmed this suspicion to TechCrunch.

Now comes the scary part.  There is a chance that this was some sort of test run for an election day attack that could throw the U.S. into chaos.

Or it could be some smart kid with a million "zombie" computers at his beck and call who just wants to cause trouble.  The scary thing is that we won't be able to tell the difference when it happens again.

And it will happen again.

Daily Beast:

What has happened over the last few years is businesses have consolidated to professional managed DNS providers, ironically in part due to the difficulty in mitigating denial of service attacks.  This has created new centralized platforms for hackers to target.

And they are being targeted. Within the past month there was a distributed denial of service attack which totalled over 1,000 gigabits per second of traffic. That’s more bandwidth than many countries have. It’s a staggering volume of traffic, multiple times more than anything seen previously. (In 2015, Arbor networks reported what was then the world’s biggest DDoS attack: 334 gigabits per second.)

This is aiming to become the new normal. It is extremely difficult and costly to defend against — only a small number of companies can do it currently.

Homeland Security has been scrambling to harden state election sites from attack, but as yesterday's incident shows, hackers don't even have to break into a system to cause chaos.  We have been sleepwalking into being terribly vulnerable to both evil people and mischevious teenagers.

The arms race between hackers and cyber-security experts is currently being won by the bad guys.  And this is a race we cannot afford to lose.