'Smart' gadgets turned against us; Internet firm suffering third wave of attack as major sites remain unreliable
An army of infected gadgets -- like nanny cameras -- overwhelmed a critical Internet service provider on Friday, knocking many large Internet companies offline. The firm at the middle of the attack, New Hampshire-based Dyn, said late Friday that it is enduring a third wave of digital onslaught. It's not clear when the firm might be able to fully restore services to companies like Twitter.
In a conference call with reporters on Friday, the firm said an army of infected Internet of Things devices was flooding its services with traffic. As a result, traffic was coming to the firm from "tens of millions of IP addresses at the same time," the firm said , according to CNBC.
Computer security firm Flashpoint reported that Dyn was the victim of an attack orchestrated by criminals using malicious software called Mirai. It searches the Internet looking for gadgets that are protected only by default passwords or simple passwords, infects them, and then assembles them into a botnet that can be used for attacks like this.
The source code for Mirai was made public earlier this month. Two days ago, Threatpost reported that the number of Mirai-infected devices had -- predictably -- soared since the release.
"The number of compromised CCTV cameras, DVRs, home networking equipment overrun by Mirai has more than doubled from 213,000 to 493,000," it said.
All those compromised "smart" locks and refrigerators could be used to attack a computer server by overwhelming it with requests, which is apparently what's happening to Dyn right now. At the moment, it's unclear what Dyn can do to free itself from the attack, which the firm described as sophisticated and well planned.
"What they're actually doing is moving around the world with each attack," Dyn Chief Strategy Officer Kyle York said in a conference call Friday afternoon, CNBC reported.
Dyn offers managed Domain Name Service hosting, which allows companies to geographically disperse their critical DNS services. DNS is the Internet's addressing system, connecting cryptic IP addresses to common names like BobSullivan.net. DNS can be a bottleneck, so some larger websites outsource DNS services to firms like Dyn.
The attack, which is ongoing, come as a tense election season draws to a close and rhetoric about potential hacking incidents impacting the presidential campaign continues to escalate. There is no evidence to connect this attack to the election, but jittery voters were drawing the inference anyway.
Gizmodo is maintaining a list of sites that readers complain have been unavailable. It includes sites like Reddit and Wired.com
It's unclear who was responsible for the attack, or what tactics it utilized. Security researcher Brian Krebs is among those speculating that that the new wave of Internet of Things connected devices, which tend to have poor security, have been marshaled into a botnet. All those machines could then be used to overwhelm Dyn's DNS servers with requests, creating the Internet's version of a busy signal.
Reading Dyn's normally dry network status page provides a melodramatic look at how events unfolded today.
The day began with:
"Starting at 11:10 UTC on October 21st-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time."
Then,
"This attack is mainly impacting US East and is impacting Managed DNS customers in this region."
Two hours later, "Services have been restored to normal."
But not so fast.
"As of 15:52 UTC, We have begun monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure."
Still, by 3 p.m. east coast time, the firm hadn't wrestled the attack to the ground.
"Our engineers are still investigating and mitigating the attacks on our infrastructure. "
If you've read this far, perhaps you'd like to support what I do. That's easy. Sign up for my free email list, or click on an advertisement, or just share the story.