The Possible Vendetta Behind the East Coast Web Slowdown
The Possible Vendetta Behind the East Coast Web Slowdown
By Nate Lanxon , Jeremy Kahn , and Joshua Brustein
October 21, 2016 — 9:08 AM EDT October 21, 2016 — 6:05 PM
EDT
Millions lose access to Twitter, Spotify, Reddit, CNN
Dyn hammered by distributed denial-of-service attack
Millions of internet users lost access to some of the
world’s most popular websites Friday, as hackers hammered servers along the
U.S. East Coast with phony traffic until they crashed, then moved westward.
In what is believed to be an ongoing, global attack on
one provider of Domain Name System services, Dyn Inc., the hack took down sites
including Twitter, Spotify, Reddit, CNN, Etsy and The New York Times for long
stretches of time -- from New York to Los Angeles.
Kyle York, chief strategy officer of Dyn, said the
hackers launched a so-called distributed denial-of-service (DDoS) attack using
“tens of millions” of malware-infected devices connected to the internet.
Speaking during a conference call Friday, York said Dyn was “actively” dealing
with a “third wave” of the attack.
Security professionals have been anticipating a rise in
attacks coming from malware that targets the "Internet of Things," a
new breed of small gadgets that are connected to the internet. That was after a
hacker released software code that powers such malware, called Mirai, several
weeks ago.
Gillian M. Christensen, a spokeswoman for the Department
of Homeland Security, said the agency and the FBI are aware of the incident and
“investigating all potential causes.”
Internet Havoc
Dyn first reported site outages relating to the DDoS
attack at around 7:10 a.m. New York time. The company restored service two
hours later but was offline again at around noon, as another attack appeared to
be underway, this time affecting the West Coast as well.
While DDoS attacks don’t steal anything, they create
havoc across the internet -- and are on the rise in volume and power.
Earlier in the day, Brian Krebs, a well-known journalist
covering computer security, wrote that the timing of the attacks corresponded
with the release of research conducted by Dyn’s director of internet analysis.
Dyn highlighted potential connections between firms that offer to protect
against DDoS attacks, and the hackers who conduct them. Krebs’s own website
faced an “extremely large and unusual” DDoS attack after he published a story
based on the same research, he said.
“We can’t confirm or even speculate on anyone’s
motivation or relation to that research,” said Dave Allen, Dyn’s general
counsel.
Common Warfare
With attacks on the internet’s Domain Name System,
hackers compromise the underlying technology that governs how the web
functions, making the hack far more powerful and widespread.
The DNS translates website names into the Internet
Protocol addresses that computers use to look up and access sites. But it has a
design flaw: Sending a routine data request to a DNS server from one computer,
the hacker can trick the system into sending a monster file of IP addresses
back to the intended target. Multiply that by tens of thousands of computers
under the hackers’ control, and the wall of data that flooded back is enormous.
A small server may be capable of handling hundreds of simultaneous requests,
but thousands every minute cause overload and ultimately shut down, taking the
websites it hosts offline with it.
The practice often is employed by groups of hackers. In
2012, a DDoS attack forced offline the websites of Bank of America Corp., JPMorgan
Chase & Co., Citigroup Inc., Wells Fargo & Co., U.S. Bancorp and PNC
Financial Services Group Inc.
A DDoS can be achieved in a number of ways, but commonly
involves a distributed network of so-called “zombie” machines, referred to as
botnets. A botnet is formed with computers and other connected devices in homes
or offices infected with malicious code which, upon the request of a hacker,
can flood a web server with data. One or two machines wouldn’t be an issue, but
if tens or hundreds of thousands fire such data simultaneously, it can cripple
even the most sophisticated web servers.
In the case of the Dyn incident, the computers targeted
were DNS servers. Without a DNS server, large numbers of websites are
inaccessible by users across a country or even the world. In other words,
taking away the DNS servers is like taking away all the road signs on a
country’s highway system.
Single Company Targeted
So-called “authoritative” DNS providers like Dyn are
notoriously hard to secure. Carl Herberger, vice president for security
solutions at Radware, an Israeli-based internet security company, likens
“authoritative” DNS providers to hospitals, which must admit anyone who shows
up at the emergency room. Dyn must consider traffic going to a website as initially
legitimate. In the event of a DDoS, Dyn must work quickly to sort out the bad
traffic from the good, which takes time and resources, and creates outages that
ripple across the internet, as was the case Friday.
Dave Palmer, director of technology at U.K. cybersecurity
company Darktrace, said the most recent DDoS attacks have been linked to
Internet of Things devices, in particular web cams.
“The joke about the Internet of Things was that you were
going to get people hijacking people’s connected fridges to conduct these
attacks, but in these recent cases the culprit seems to be webcams,” Palmer
said. “We will probably see, when this is investigated, that it is a botnet of
the Internet of Things.”
To avoid massive outages, companies ramp up their
capacity to try to absorb the deluge of traffic and reroute it, often with the
help of a major telecommunications carrier or cloud-services provider like
Akamai Technologies Inc. and CloudFlare Inc. But the only way to really prevent
denial-of-service attacks may be to increase the overall security level of
consumers around the world, Palmer said, a task that is getting harder as more
and more devices are connected to the Internet.
“This is exactly what happens when tens of thousands or
hundreds of thousands of devices are left unprotected," Palmer said.
Comments
Post a Comment