Users of popular Internet sites such as Amazon, Twitter, and Spotify experienced significant delays getting to those sites Friday, October 21, 2016. The problem was caused by a Distributed Denial of Service (DDos) attack against Dyn, a company which provides domain name services to Internet-connected servers and devices.
To understand how a DDoS attack works, take apart its name. Denial of service means that the attack tries to prevent you from accessing the services of a particular website. It does this by bombarding that website or server with lots of nonsense traffic. The nonsense traffic floods the pathways to the server so that legitimate requests have a much more difficult time reaching it. If the nonsense traffic is created by just one attacking computer, the amount of noise caused by that one machine won’t cause much disruption at all. However, if many computers become attackers – in other words, if the attack is distributed among several different machines – the volume of noise that can be sent to the victim server can make it very difficult for legitimate users to reach it. So, DDoS attacks hamper access to an Internet server by getting several attacking machines to send traffic to it.
The attacking machines often participate unwittingly. The person who owns or uses a machine that is participating in a DDoS attack often doesn’t even know that it is doing something nefarious. Malware on that machine, which might have been installed when the user accidentally clicked on a malicious link, suddenly activated, causing the machine to join other similarly infected machines in sending a large volume of meaningless data packets to the server in a coordinated manner. The attacking machines are usually still functioning, but they are doing something they mischievous in the background.
In the case of today’s attacks, the malware that infected the DDoS attackers is called Mirai. Mirai has been widely distributed among the hacker community for a few weeks now, after it was first used to bring down the popular cyber security site Krebs on Security. Whereas DDoS agents are usually spread through phishing scams, which aim to trick users into downloading it by getting them to click on links in emails and on infected web sites, this instance was spread using poorly configured Internet-connected devices such as cameras and DVRs. These devices have default usernames and passwords that cannot be changed, making them easy targets.
So, the first job of this attack campaign was to distribute the malware to as many machines as possible. Once that phase ended, the attack could be launched, which essentially turned those machines into attack drones that all went after the same machines at the same time.
What did the drones attack? The attacking machines set their sights on some very important targets: domain name servers. A domain name server, or DNS, makes the Internet convenient to use by mapping readable and memorable website names, like Amazon.com, to numeric Internet addresses, which is how websites are actually located on the Internet. Nobody wants to remember numbers to get to a website; we much prefer to remember site names. DNSs take the website names we type into our browsers and translate them into numeric addresses, which routers that direct packets on the Internet then use to figure out how to move your requests from your machine to the site you wish to reach. If the DNSs are down, that translation can’t occur, so you are no longer able to reach your favorite websites by name. Instead, you have to identify them by their numeric address. Even if you did know the numeric address of your favorite site, however, there are relay points on the Internet which still require name-to-number translations to occur, and the lack of DNS support will still cause slowness and failed connection. So, today’s attack targeted one of the Internet’s most critical support services.
DNS is a workhorse. Like many workhorses, they aren’t sexy, and so they are often overlooked. Because you usually don’t hear about attacks against them, they often don’t show up on comprehensive security plans. Obviously, today’s attacks demonstrate that they must.