A botnet leveraging unprotected Internet of Things devices is partly responsible for the outages that wreaked havoc with the internet Friday.
A slew of popular websites were intermittently or completely offline Friday, including Box, GitHub, PayPal and Twitter, due to the attacks directed at Dyn, which provides managed domain name server service.
Dyn released a statement Friday saying they began monitoring and mitigating a DDoS attack against their Managed DNS infrastructure around 7:10 a.m. EST. The attack is impacted mainly the U.S. East Coast.
Sites have been working intermittently during the attack, but outage maps from a variety of websites shows problems on both the East and West Coast. The company remedied the morning attack by 9:20 a.m.
Around 12:15 p.m. Friday, Dyn aid it’s mitigating another DDoS attack. The company said its advanced services have been impacted, with possible delays in monitoring. A status message on Amazon Web Services’ website states the company is having problems with its West-1 Region due to the afternoon attack.
Around 4:30 p.m. EST Friday, the company announced a third wave of attacks, which consisted of “tens of millions of IPs” was being carried out. The company told CNBC the attack was “sophisticated and well coordinated.”
Gizmodo has a full list of sites that are experiencing outages.
In a recorded Q&A on Periscope, Level 3 Chief Security Officer Dale Drew explained the DNS DDoS attack is different when compared to a plain DDoS attack: While a DDoS attack points a large portion of junk traffic at a target in the hope that it blocks all legitimate traffic, a DNS DDoS attack is forcing queries on web hosts as fast as possible so Dyn’s system is spending so much resources responding to each of those queries that it doesn’t have time for a legitimate request.
“The bad guys are going through legitimate DNS providers and making queries,” Drew said. “They are making a significant amount of queries, they are getting completely overwhelmed and cannot answer legitimate queries from real questions.”
The Domain Name System, or DNS, is the directory assistance service that points to IP addresses to website addresses (like CyberScoop.com).
According to the company’s website, Dyn provides internet performance services, including DNS-related services, to eight of the top 10 internet services and retail companies, and six of the top 10 entertainment companies listed in the Fortune 500. It counts SoundCloud, BT, Hershey, Twitter, The Guardian and Seeking Alpha among its clients.
Drew also said that a portion of the traffic can be traced back to the Mirai botnet, which uses poorly secured Internet of Things devices like smartphones, live cameras and routers to augment the attack’s size. Mirai been a rash of massive DDoS attacks over the past few weeks, most notably the biggest one ever recorded that took independent journalist Brian Krebs’ blog offline for a number of days.
The source code for the botnet responsible for that attack, has been adopted by random hackers and used against new targets. Drew said in his video that those responsible for today’s outage is leveraging Mirai, as well as other botnets.
Earlier this month, experts told CyberScoop that Mirai’s spread symbolizes a shift in hackers’ capabilities.
“These recent, large attacks are most likely a harbinger for what the industry will likely now face on a more regular basis,” said Martin McKeay, Akamai’s senior security advocate. “This happens every couple of years. A new attack – think of Operation Abibal from a couple of years ago — creates a new high water mark. Those providing mitigation create new defenses against the attacks, only to have the attackers evolve further. It’s a vicious cycle and one that will continue for as long as people want to DDoS websites.”