Hundreds of websites — including those of biggies such as Netflix, Twitter and Spotify — on Friday fell prey to massive DDoS attacks that cut off access to Internet users on the East Coast and elsewhere across the United States.
Three attacks were launched over a period of hours against Internet performance management company Dyn, which provides support to eight of the top 10 Internet service and retail companies and six of the top 10 entertainment companies listed in the Fortune 500.
The first attack against the Dyn Managed DNS infrastructure started at 11:10 a.m. UTC, or 7:10 a.m. EDT, the company said. Services were restored at about 9:00 a.m. Eastern time.
The second attack began around 11:52 a.m. EDT and was resolved by 2:52 p.m. The third attack, which started around 5:30 p.m., was resolved by about 6:17 p.m., according to Dyn’s incident report.
“This is a new spin on an old attack, as the bad guys are finding new and innovative ways to cause further discontent,” said Chase Cunningham, director of cyberoperations for A10 Networks.
“The bad guys are moving upstream for DDoS attacks on the DNS providers instead of just on sites or applications.”
Dyn “got the DNS stuff back up pretty quick. They were very effective,” he told TechNewsWorld.
The Severity of the Attacks
While the attacks were “pretty large,” they “didn’t bring anything down for very long,” Cunningham noted.
Still, without confirmation from Dyn or ISPs, “it’s only possible to speculate on the severity of this attack,” said Craig Young, a computer security researcher at Tripwire.
“It is, however, reasonable to assume that the attackers controlled a considerable bandwidth in order to take out a service known for its resiliency against this type of attack,” he told TechNewsWorld.
Getting the bandwidth to launch the attack has become easier with the proliferation of the Internet of Things. Cybercriminals and hackers increasingly have roped IoT devices into service as botnets to launch successive waves of very large DDoS attacks.
“Threat actors are leveraging insecure IoT devices to launch some of history’s largest DDoS attacks,” A10’s Cunningham noted.
Manufacturers should eliminate the use of default or easy passwords to access and manage smart or connected devices, he said, to “hinder many of the global botnets that are created and deployed for malicious use.”
Who’s Pulling the Strings?
A nation state or states might be preparing to take down the Internet, cybersecurity expert Bruce Schneier recently warned, and “if there’s a threat actor out there with this goal, DNS infrastructure would be a very natural target to expect,” Tripwire’s Young pointed out.
Another possibility is that the attacks could be a publicity stunt for a new threat actor launching a DDoS as a Service business, he suggested, in which case someone will claim responsibility for the attacks “in coming days or weeks.”
Nothing points to one particular group, although it appears that recently more attacks have been coming from South America than from Russia or the former Soviet bloc, A10’s Cunningham said.
At this point, considering the source “is total speculation,” he added.
The United States Department of Homeland Security reportedly is looking into the attacks.
The explanation may turn out to be simple. Perhaps Dyn’s DNS servers were too tempting a target for hackers and led to an attack of opportunity.
…BIND9 is 100 to 1000 times slower than an ideal DNS server, so is much harder to keep up in the face of DDoS.
— Robert Graham ❄ (@ErrataRob) October 21, 2016
Bind is an open source reference implementation of DNS protocols, as well as production-grade software suitable for use in high-volume, high-reliability applications.
More Trouble Ahead
DDoS attacks have been on the upswing and likely will increase in the near term.
There was a 129 percent increase in year-over-year DDoS attack traffic in the second quarter of this year, according to Akamai.
That amounts to nearly 5,000 mitigated attacks across a variety of industries and verticals during the period.