The Department of Homeland Security and the FBI are investigating a massive cyberattack that stopped or slowed access to Twitter, Spotify, Amazon and other sites Friday by targeting a firm responsible for routing Internet traffic their way.
Dyn, a New Hampshire Internet services company, reported around 4 a.m. PDT that a large-scale attack temporarily overwhelmed its servers. By 6:30 a.m., the company said, service was back to normal, but around 9 a.m., Dyn again said it was under attack. Just before 11 a.m., Dyn said it was investigating “several attacks,” which were “resolved” around 3 p.m. Pacific time.
Dyn links Web addresses to specific numeric codes, called IP addresses, that computers use to communicate with each other. Because so many companies rely on Dyn as a go-between, the effect was widespread.
Users reported outages and slowdowns at sites including PayPal, Github, Netflix, the New York Times, the Boston Globe and Vox Media, among others.
Obama administration officials have determined the outages were the result of a malicious attack, according to a federal law enforcement official speaking on the condition of anonymity to discuss internal assessments. Investigators have come to a preliminary conclusion as to who carried them out, but are not planning to make that public for now, the official said.
In this case, hackers used a method known as distributed denial of service, or DDoS. It’s a tactic that’s on the rise, said Vince Berk, chief executive of FlowTraq, a network security company that specializes in detecting and defeating DDoS attacks.
As security experts get better at keeping threats at bay, hackers are increasingly turning to DDoS attacks, which he described as the “crudest form of an attack you can perpetrate.”
A DDoS attack blocks users by overloading the site with traffic. Imagine, for instance, that a thousand people showed up at a post office at once to buy stamps. The glut of traffic would prevent other customers who wanted to mail packages from getting service. That is similar to how a DDoS attack works, Berk said.
To attack a company as large as Dyn, a hacker needs to commandeer a large number of computers or Internet-connected devices and program them to all start sending traffic to Dyn at the same time. By doing this, the hacker will clog up the site with so much “junk traffic” that they cannot serve actual customers, according to a blog post from security expert Brian Krebs, whose own site was the target of a DDoS attack in September.
Companies like such as Dyn are a “prime target,” Berk said, because so many sites and services rely on them. By attacking a company like Dyn, hackers can take down a vast number of websites at once.
The exact magnitude of the attack remains unclear, Berk said. But Joe Touch, director of the Postel Center at USC’s Information Sciences Institute, said it ranked among the attacks that have “impacted the largest number of consumers.”
“Twitter and all these other sites, taking those down, that’s big,” he said.
The attack comes at a time of increased concern about cybersecurity.
This month, private emails of Democratic presidential candidate Hillary Clinton’s campaign chairman appeared on WikiLeaks. This summer, the FBI said it was investigating a hack into the Democratic National Committee's computers. Both attacks have been blamed on Russian hackers.
Yahoo Inc. also recently announced that it suffered a data breach in 2014 that affected at least 500 million user accounts, an action the company believes was taken by a state-sponsored actor.
Hacking an email server or stealing user account information from a network is more targeted than a DDoS attack, which aims to cause widespread disruption, said Justin Cappos, an professor in the computer science and engineering department at NYU.
Many DDoS attacks are performed by individuals who threaten to unleash a flood of traffic unless a victim pays a bribe. Some are performed by hackers intent on gaining notoriety or causing a headache for the sites they take down. Recently, some DDoS attacks have been perpetrated by state-sponsored groups probing Internet infrastructure, Cappos said.
But he warned it will take time to identify the culprit.
To avoid the same kind of widespread outages, Touch of USC said companies should use several providers for Internet routing services rather than just one.
“The more you rely on a single company, regardless of how competent that company is, the less you are protected,” he said.
Firms generally avoid speaking about their infrastructure during sensitive periods for fear of becoming a bigger target, but several, including Twitter, Box and Netflix said Friday afternoon that they had restored service.
The Internet security world has been on edge since the attack on Krebs’ site — believed to be one of the largest DDoS attacks ever.
Krebs and others attribute its scale to compromised Internet-connected devices, such as security cameras and digital videorecorders. Their rapid spread and lax security standards could open a new front in cyber warfare.
On Friday, Krebs reported that researchers from security firm Flashpoint saw indications that Internet-connected devices were involved in the attack on Dyn.
In an interview, he said he wasn’t surprised Friday’s attack garnered attention from the general public.
"Any time you have such a broad range of popular sites go offline because of an attack on one infrastructure provider … it tends to be a pretty impactful attack," he said.
Times staff writer Brian Bennett contributed to this report.
For more business news, follow me @smasunaga
3:40 p.m.: This article has been updated to include comments from a federal law enforcement official and Joe Touch, director of the Postel Center at USC’s Information Sciences Institute.
1:20 p.m.: This article has been updated to include an interview with security expert Brian Krebs.
11:45 a.m.: This article has been updated to include comments from a computer science expert and a report that the Department of Homeland Security is now investigating the cause of the cyberattack.
9:30 a.m.: This article has been updated with a report taht Dyn is investigating a DDoS attack.
This article was originally published at 8:40 a.m.