The massive DDoS attack that almost brought down US internet – how it happened and why

India Ashok
The massive DDoS attack that almost brought down US internet – how it happened and why

On Friday (21 October), hackers mounted unprecedented concurrent global DDoS attacks on internet services firm Dyn. The attack severely impacted Dyn's clients, which include Twitter, Reddift, Spotify, SoundCloud, among others. Mere hours after Dyn claimed to have restored services, hackers hit again, leading the firm's engineers scrambling to mitigate the attack. The cyberattacks caused outages for many across the East Coast in the US.

Dyn's latest update on the attack claims that the firm's engineers were successful in mitigating the attacks. The firm said that hackers had leveraged vulnerable IoT (Internet of Things) devices to mount the attacks. Security experts believe that hackers used the proliferate Mirai botnet, the source code of which was recently made freely available to the public, to conduct the cyberattacks.

Explaining the sequence of attacks in an update, Dyn said: "On Friday October 21, 2016 at approximately 11:10 UTC, Dyn came under attack by a large Distributed Denial of Service (DDoS) attack against our Managed DNS infrastructure in the US-East region. Customers affected may have seen regional resolution failures in US-East and intermittent spikes in latency globally. Dyn's engineers were able to successfully mitigate the attack at approximately 13:20 UTC, and shortly after, the attack subsided.

"At roughly 15:50 UTC a second DDoS attack began against the Managed DNS platform. This attack was distributed in a more global fashion. Affected customers may have seen intermittent resolution issues as well as increased global latency. At approximately 17:00 UTC, our engineers were again able to mitigate the attack and service was restored."

What is going on

In September, a hacker going by the name Anna Senpai released the source code of the Mirai botnet on the underground hacking community called Hackforums. The Mirai botnet enslaves vulnerable IoT devices such as security cameras, DVRs and internet routers by infecting them with malware, thus creating a digital army of zombie-like devices that can be used in large DDoS attacks.

According to security journalist Brian Krebs, hackers are now using Mirai and posing as its author Anna-Senpai when targeting infrastructure providers with extorting attacks. Cyber crooks have now taken to threatening hosting providers with DDoS attacks, invoking the name of Mirai's developer, in an attempt to extort bitcoins from targets.

According to Krebs, sources indicated that the attacks against Dyn may have been planned. Unspecified sources claimed that they had detected "some chatter in the cybercrime underground" just a day before the attacks, "discussing a plan to attack Dyn."

According to security researchers from Flahpoint, Level 3 Communications and BackConnect, the Mirai botnet was involved in perpetrating the attacks against Dyn.

"Someone has probably achieved hegemony with the Mirai source and slapped DYN to either hit them directly or a customer downstream," BackConnect CTO Marshal Webb told Motherboard. "Nothing else would have enough legitimate devices to saturate DNS queries."

Level 3 Communications chief security officer Dan Drew said in a Periscope briefing, "We're seeing attacks coming from a number of different locations. An Internet of Things botnet called Mirai that we identified is also involved in the attack."

Flashpoint also backed up claims of Mirai's involvement . "Mirai attack commands issued against Dyn infrastructure," the firm said, also warning that "it is not yet clear if other botnets are involved."

Speculation about motivation

It is still unclear as to the attackers' motivation in having targeted Dyn. While some security experts have speculated that the attacks may have been an extortion attempt, others theorised that it may have been an ideal publicity gimmick. It is also possible that the attacks on Dyn were meant to have targeted specific tech giants.

Coincidentally, WikiLeaks posted a tweet shortly after the attacks, intimating that the attacks may have been caused by Julian Assange supporters, in protest of his internet recently having been cut off by Ecuador. However, there is no indication yet of the attacks on Dyn having any connection to WikiLeaks or Assange.

ESET security specialist Mark James told IBTimes UK, "DDoS seems to be more widely used these days to cause disruption and nuisance. As more machines become available to be infected, thus drafted into possible botnet type activity, the resources available are growing bigger and bigger. DDoS of course may not only be used to make a statement or bring voice to your protests, it may, and has on many occasions, be used as a smokescreen to cover other nefarious purposes which may include data theft or malware infection."

Adam Horsewood, Senior Security Consultant at MWR Infosecurity told IBTimes UK, "The attack on DYN could well be a form of advertising. DYN provide a DDOS defense service, protecting clients from the very same sort of attacks that they are now suffering. DDOS attacks can be provided as a service, allowing people to rent the ability to perform an attack with no upfront cost, or skill requirements. Service providers who can perform a successful attack against the very companies who offer protection services demonstrate that all who use those protective service are at risk.

"DYN's client list includes many impressive clients such as Twitter, Spotify and Github, all of which would be highly sought after targets should the DDOS attack used today be sold by its creator.

"As to why the East coast is being specifically targeted, it may be that it isn't. Cloud services make use of a technology called anycasting. Before anycasting, when you visited a website, it was like making a long distance trip to a specific location. With any-casting, the journey is cut down, as there are many copies of the location, distributed globally. As an analogy, instead of traveling for 20 minutes to go to a large supermarket, you could just go to your local corner shop, of which there are many similar copies. This makes these services quick to respond, and more resilient to attack, as they don't exist in one single place anymore.

"The traffic that is causing the problem will likely go to the nearest copy of Dyn's services, following their ISP's routing, something they don't control. The maps could indicate where the majority of the traffic is sourced or the nearest Dyn node to it.

"Assuming that Dyn advertise their service equally in different locations, what you are likely to be seeing is a large amount of source attacks in the region going to the nearest Dyn node or copy, indicating the source of the majority of the traffic is likely to be the US."

Dyn itself is yet to comment on how and why the attacks were perpetrated. The firm is known for reporting on outages experienced at other major network providers and also monitors internet access in various authoritarian regimes across the globe.

IBTimes UK will update the article in the event that any additional information is revealed about the perpetrators of the cyberattack.

Related Articles

By using Yahoo you agree that Yahoo and partners may use Cookies for personalisation and other purposes