DDoS Protection , Security Operations
DDoS Attack Blamed for Massive OutagesAttack on DNS Company Dyn Suspected in Takedown of Twitter, Amazon and More
(This story has been updated.)
A massive distributed denial-of-service attack that began early Oct. 21 and continued in waves into the evening is suspected to be the cause of the temporary outages of many popular websites, including Amazon and Twitter.
The attack, coming simultaneously from tens of millions of IP addresses, targeted domain name system service provider Dyn. The website outages were intermittent.
Dyn repeatedly posted this update throughout the day: "Our engineers continue to investigate and mitigate several attacks aimed against the Dyn Managed DNS infrastructure."
In a conference call the afternoon of Oct. 21, according to news reports, Dyn said the attack was being waged from devices infected with a malware code that was released on the web in recent weeks.
"What they're actually doing is moving around the world with each attack," Dyn Chief Strategy Officer Kyle York said on the call, according to news reports.
Dyn executives said the company has not heard from the attackers and does not know who they are.
Citing a senior U.S. intelligence official, NBC News reports a preliminary assessment of the DDoS attack deems it a classic case of internet vandalism. The official said it does not appear to be a state-sponsored or directed attack. White House spokesman Josh Earnest says the U.S. Department of Homeland Security is monitoring the situation.
WikiLeaks posted a Tweet the evening of Oct. 21 suggesting its supporters were behind the attack. The organization, headed by Julian Assange, posts secret information and news leaks. It's been publishing stolen emails and other messages, believed stolen by the Russians, on U.S. Democratic presidential nominee Hillary Clinton.
Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point. pic.twitter.com/XVch196xyL— WikiLeaks (@wikileaks) October 21, 2016
Attacks Began at Dawn
Starting just before the work day began in the eastern United States, users from the U.S., Canada and Europe began reporting their inability to access websites operated by Airbnb, Amazon, Reddit, The New York Times, PayPal, Spotify, Tumblr, Twitter, The Wall Street Journal, Yelp and others via PC and mobile browsers and apps.
DDoS attacks involve overwhelming targeted sites with high volumes of traffic, highly targeted attacks against some services, or both. The result is that targeted sites may be intermittently or entirely unreachable by users. But because the Oct. 21 DDoS attack targeted a major DNS provider, the disruptions were more pronounced. That's because DNS is the equivalent of an internet phone book, translating domain names into IP addresses so that traffic can be routed accordingly. Hence by disrupting a DNS provider, the attack effect was dramatically multiplied.
In a "DDoS attack" incident report posted in the morning, Dyn reported that "this attack is mainly impacting U.S. East and is impacting managed DNS customers in this region."
After a lull, the DDoS attacks apparently resumed in at least two more waves later in the day, according to news reports.
Multiple affected services, including Twitter, confirmed that their sites had been inaccessible for some users during the DDoS attack.
"Between approximately 4:10 and 6:10 PDT, various Twitter domains, including twitter.com may have been inaccessible for users in some regions, due to failures resolving particular DNS hostnames," according to a Twitter status update. "This issue has now been resolved."
Some people may have briefly had problems accessing Twitter. This issue is now resolved, thanks for your patience! https://t.co/bC13KpOIyn— Twitter Support (@Support) October 21, 2016
Service to Twitter, however, remained sporadic in parts of the U.S. during the afternoon of Oct. 21.
The attack on Dyn follows record-setting DDoS attacks via internet of things devices infected with Mirai malware. The related botnet at one point reportedly included 168,000 hacked devices - ranging from internet-connected cameras to digital video recorders. It was used to deliver a record-setting DDoS attack that peaked at 620 gigabits per second of traffic, far above the typical range of 1 Gbps to 15 Gbps for DDoS attacks.
It's unclear if that botnet was used to disrupt Dyn's DNS services. But some security experts say the latest attack highlights the challenge facing DNS providers when it comes to defending against today's record-setting DDoS attacks.
Furthermore, some security experts are warning that this attack may have just been a test run for triggering widespread internet outages.
Disruption Follows Routing Security Presentation
The DDoS disruptions followed an Oct. 18 speech delivered by Doug Madory, a researcher at Dyn, that looked at the hijacking of internet routes to deliver spam or malware. His research drew in part on the recent, massive DDoS attacks against security journalist Brian Krebs and French hosting firm OVH.
Madory and Krebs collaborated on research that highlighted "the sometimes blurry lines between certain DDoS mitigation firms and the cybercriminals apparently involved in launching some of the largest DDoS attacks the Internet has ever seen," as Krebs reported.
Madory's recent presentation also touched on the hijacking of internet traffic via the Border Gateway Protocol, which is responsible for routing all internet traffic. In the words of Dan Hubbard, CTO of cloud security at Cisco: "BGP distributes routing information and makes sure all routers on the internet know how to get to a certain IP address."
But attackers in recent years have been hijacking BGP to intercept traffic. Such a move would allow an intelligence agency to scan all traffic before delivering it to its source.
BGP hijacking can also be used to disrupt DDoS attacks, and the firm BackConnect last month confirmed to Krebs that it had hijacked the internet address space used by an on-demand DDoS - a.k.a. stresser/booter - service called vDOS, in what Malory says is the first case of a company ever admitting that it had done so. BackConnect's CEO reportedly told Krebs that vDos took credit for a DDoS attack against his firm, at which point he authorized the BGP hijacking to help his firm defend itself.
The two alleged administrators of vDOS were arrested by police in Israel last month at the FBI's request.
Dyn didn't immediately respond to a request for comment about how it has been mitigating the DDoS attack against it.
(Executive Editor Eric Chabrow and News Editor Howard Anderson contributed to this story.)