What began as a two-hour morning outage spanned well into the afternoon as Twitter, Reddit, Spotify, Github, and many other popular websites and services became effectively inaccessible for many American web users, especially those on the East Coast.
A distributed denial of service attack, or DDoS, is not an uncommon attack on the web, and web hosts have been fending them off for years. Butaccording to reports, Friday’s attack was distinguished by its distinctive approach. The perpetrator used a botnet composed of so-called “internet-of-things” devices—namely, webcams and DVRs—to spam Dyn with more requests than it could handle.
Security researchers have been warning about these internet-of-things botnets since at least the summer. In September, a botnet composed of DVRs and CCTVs took down the blog of Brian Krebs, a prominent cybersecurity journalist. And on October 1, an anonymous developerposted source code online that allowed anyone to string a similar kind of botnet together.
Krebs wrote that releasing that software, called Mirai, “virtually [guaranteed] that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”
“This feels new,” Bruce Schneier, a long-time computer-security researcher, told me by phone on Friday. “There hasn’t been a successful attack like this before.” There have been many unsuccessful ones that may have been larger, he added.
Andy Ellis, the chief security officer at Akamai, agreed. Akamai is one of the largest distributed cloud services on the web, serving between 15 and 30 percent of all web traffic. Some of its DNS products compete with Dyn’s.
“You never know how big an attack is on someone else,” said Ellis. He said this was a “watch-and-see” moment: Until Dyn describes the attack further, the security community would not know if this was an attack of unprecedented size or if it was one that had happened to find a specific weakness.
Neither Schneier nor Ellis would speculate about who might have perpetrated the attack.
“It could be orange elephants who became literate, for all we know,” Schneier said. “It might be three guys in Topeka.”
On his website, Krebs pointed out that a Dyn security researcher gave a talk on Thursday about the perils of internet-of-things botnets and the history of one DDoS mitigation firm in particular. Sometimes a retribution-style attack can follow a presentation of this type.
The attack demonstrates the fearsome power of internet-of-things botnets. Last month, Schneier argued inMotherboard that the government must regulate internet-of-things cybersecurity. “The market can’t fix this because neither the buyer nor the seller cares,” he wrote:
What this all means is that the [internet of things] will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on [internet of things] manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
Ellis struck a less apocalyptic tone when he described the situation on the phone to me.