The 2016 Dyn cyber attack took place on October 21, 2016, and involved multiple denial-of-service attacks (DDoS attacks) targeting systems operated by Domain Name System (DNS) provider Dyn which made major Internet platforms and services unavailable to large swaths of users in Europe and North America. The groups Anonymous and New World Hackers claimed responsibility for the attack.
As a DNS provider, Dyn provides to end-users the service of mapping an Internet domain name—when, for instance, entered into a web browser—to its corresponding IP address. The distributed denial-of-service (DDoS) attack was accomplished through a large number of DNS lookup requests from tens of millions of IP addresses.
The activities are believed to have been executed through a botnet consisting of a large number of Internet-connected devices—such as printers, IP cameras, residential gateways and baby monitors—that had been infected with the Mirai malware. With an estimated load of 1.2 terabits per second, the attack is, according to experts, the largest DDoS on record.
US officials are investigating the multiple attacks that caused widespread online disruption on both sides of the Atlantic on Friday.
The Department of Homeland Security has begun an investigation into the DDoS (distributed denial-of-service) attack, the Guardian confirmed.
The incident took offline some of the most popular sites on the web, including Netflix, Twitter, Spotify, Reddit, CNN, PayPal, Pinterest and Fox News – as well as newspapers including the Guardian, the New York Times and the Wall Street Journal.
The attacks seemed to have been focused on Dyn, one of the companies that run the internet’s domain name system (DNS).
Amazon’s web services division, the world’s biggest cloud computing company, also reported an outage that lasted several hours on Friday morning.
Doug Madory, director of internet analysis at Dyn, said he was not sure if the outages at Dyn and Amazon were connected.
“We provide service to Amazon, but theirs is a complex network so it is hard to be definitive about causality,” he said.
Dyn said it first became aware of the attack shortly after 7am ET on Friday. “We began monitoring and mitigating a DDoS [distributed denial-of-service] attack against our Dyn Managed DNS infrastructure,” the company said on its website.
The company sent out updates throughout the day, confirming the second attack at about noon and a third just after 4pm.
DDoS attacks are also becoming more common. Brian Krebs, an independent security researcher, observed earlier this month that the “source code” to the Mirai botnet had been released by a hacker group, “virtually guaranteeing that the internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices”.
The Mirai botnet is a network of devices infected with self-propagating malware; Krebs himself was attacked by the malware’s creators. Mirai (Japanese for “the future”) is malware that turns computer systems running Linux into remotely controlled “bots”, that can be used as part of a botnet in large-scale network attacks.
It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s website, an attack on French web host OVH and this DDoS attack.
Cybersecurity firm Flashpoint attributed the attack to malware based on the Mirai source code. Krebs added his own investigation late Friday: “Separately, I have heard from a trusted source who’s been tracking this activity and saw chatter in the cybercrime underground yesterday discussing a plan to attack Dyn.”
Dyn was investigating another attack on Friday afternoon that caused similar problems to the outages experienced in the morning.
The firm said it was still trying to determine how the attack led to the outage. “Our first priority over the last couple of hours has been our customers and restoring their performance,” said executive vice-president Scott Hilton.
The tech website Gizmodo wrote: “This new wave of attacks seems to be affecting the West Coast of the United States and Europe. It’s so far unclear how the two attacks are related, but the outages are very similar.”
Robert Page, a lead penetration tester at security firm Redscan, said: “It’s interesting that nobody has yet claimed credit for the attack. The relative ease at which DDoS attacks are to execute, however, suggests that the perpetrators are most likely teenagers looking to cause mischief rather than malicious state-sponsored attackers.”
The attacks underline a serious vulnerability in the way the internet functions. David Gibson, of commercial security software firm Varonis, said: “DNS is one of the aging technologies the industry is struggling to update, along with one-factor authentication (password-only security), unencrypted web connections – the list is very long, and the stakes have never been higher.”
In a widely shared essay, Someone Is Learning How to Take Down the Internet, respected security expert Bruce Schneier said recently that major internet infrastructure companies had been the subject of a series of significant DDoS attacks that looked like someone was trying to test their systems for weaknesses.
Schneier said he could not provide details because the companies provided him the information confidentially, but that he felt the need to warn the public of the potential threat.
“Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services,” he said.
Devices infected by Mirai continuously scan the internet for the IP address of Internet of things (IoT) devices. Mirai includes a table of subnet masks that it will not infect, including private networks and addresses allocated to the United States Postal Service and Department of Defense.
Mirai then identifies vulnerable IoT devices using a table of common factory default usernames and passwords, and logs into them to infect them with the Mirai malware. Infected devices will continue to function normally, except for occasional sluggishness, and an increased use of bandwidth.
A device remains infected until it is rebooted, which may involve simply turning the device off and after a short wait turning it back on. After a reboot, unless the login password is changed immediately, the device will be reinfected within minutes.
There are hundreds of thousands of IoT devices which use default settings, making them vulnerable to infection. Once infected, the device will monitor a command and control server which indicates the target of an attack.
The reason for the use of a large number of IoT devices is to bypass some anti-DoS software which monitors the IP address of incoming requests and filters or sets up a block if it identifies an abnormal traffic pattern, for example, if too many requests come from a particular IP address. Other reasons include to be able to marshall more bandwidth than the perpetrator can assemble alone and to avoid being traced.