4.1 What was the attack?
On 21 October 2016, a major network outage occurred that rendered many well-known websites – including Twitter, Netflix, Spotify, Reddit, PayPal and eBay – inaccessible for hours. The outage was caused by an attack on an important protocol underpinning the infrastructure of the internet called the Domain Name System (DNS). This translates the alphabetic internet domain and host names, such as the website addresses entered into web browsers, into numeric IP addresses. Without this translation, the website names will not be converted to computer-readable numeric IP addresses and hence the web browser will not be able to connect to the website you want to go to. Only a small number of companies in the world are hosting this crucial ‘web directory’ and Dyn is one of them. Dyn provides DNS services to around 30 international corporations, including those listed above.
On the day in question, Dyn was targeted by a series of highly sophisticated DDoS attacks. It started at about 12 p.m. BST and the company managed to fix the problem after two hours. However, another attack happened at 4 p.m. and it took the company another three hours to resume the main service.
The magnitude, duration and complexity of this DDoS attack were much higher than those of ordinary DDoS attacks, and this led security experts to suspect that this was a state-sponsored attack. Internationally renowned security expert Bruce Schneier said ‘it feels like a large nation state. China and Russia would be my first guesses’ (Griffin and Walker, 2016). Another security expert, Lawrence Orans, a research vice president at Gartner specialising in web security and DDoS attacks, agreed and said ‘An attack of this magnitude can’t be executed by a kid in his bedroom […] It’s more sophisticated than that. A nation state would be a prime suspect’ (Griffin and Walker, 2016).
Despite the security experts’ suggestions that this might be a state-sponsored attack, it wasn’t actually the first attack of this kind. Very similar attacks happened in September 2016 and included extraordinary high-traffic attacks to the blog of the security journalist Brian Krebs (620 Gbit/s) and French cloud company OVH (1 Tbit/s). To bring down an ordinary website, a traffic volume of 20–40 Gbit/s is usually enough so the traffic for these two attacks was many times higher than needed. Who was behind these attacks? Would kids really be unable to launch this kind of attack in their bedroom? If not, was a nation state the culprit, as Schneier and Orans suggested?
All these DDoS attacks were launched using an unusually large botnet composed of computing devices from all over the world. Unlike conventional botnets, this botnet was made up of online consumer devices such as IP cameras, network-enabled media players and home routers. As many of these devices had weak security protection and many of their users didn’t change the default settings (including factory default usernames and passwords), they could be hacked fairly easily. A piece of malware known as Mirai (which means ‘future’ in Japanese) is able to exploit the security weakness of these devices and ‘harvest’ them to form a large and diverse botnet. Mirai randomly scans the internet for vulnerable devices; once one is found, it will attempt to gain access and take control over of it. The device’s owner will not usually notice the hijack as the device will still be functioning, though perhaps a little slower than usual.