Last Friday's cyberattack, which took down Twitter, Netflix, Reddit, and other popular websites for hours across the country, originated from 100,000 Web-enabled devices harnessed together by a malicious software program.
That's the conclusion of Dyn, the New Hampshire company that manages a significant portion of the Internet's infrastructure and was the target of the attack.
"This attack has opened up an important conversation about internet security and volatility," Dyn Executive Vice President Scott Hilton said in an analysis issued Wednesday. "Not only has it highlighted vulnerabilities in the security of 'Internet of Thing' devices that need to be addressed, but it has also sparked further dialogue in the Internet infrastructure community about the future of the Internet."
Dyn's analysis confirms both the magnitude of the attack, which is the largest on record and unfolded in two major waves during the day Oct. 21, but the relative ease with which attackers can enslave vulnerable web devices to cause mischief — or worse.
The company's estimate of 100,000 sources, which include home security cameras, DVRs, wireless routers, and other devices that are connected to the Web and largely unprotected by strong passwords or other protection, is a tiny fraction of the tens of millions of devices available for infection and deployment as a malicious "botnet." In this case, they were yoked together via a program called "Mirai," which has been publicly released, sharply increasing the chances it can be used for malicious purposes by groups or individuals.
Indeed, U.S. intelligence chief James Clapper said this week that the attack appeared to be the work of a "non-state actor" — that is, not such usual suspects as Russia or China. That's cold comfort, since Clapper also said that such non-state attackers can be "even more nefarious" than governments.
Concern about the potential to turn workaday consumer devices into instruments of cyber-mayhem has been growing along with the scale of attacks known as distributed denials of service, or DDoS. These involve sending such an immense volume of messages to a website that legitimate users can't reach the site. A major attack on the website of security expert Brian Krebs last month forced the site off the Internet for several days, possibly in retaliation for articles he had published about Israeli hackers.
That attack, like the Dyn episode, involved a Mirai user who had enslaved an army of insecure Web devices. These often are consumer devices that can connect to the Internet to allow owners to access video recordings or to download software updates — program grids for TV set-top boxes, say — in ways that are out of the control of their owners. Often, the Internet connections are safeguarded by easy-to-hack passwords.
One can expect more regulatory attention to be paid to such devices as their exploitation by hackers expands. The manufacturer of an entire line of vulnerable webcams identified as possible sources of recent DDoS assaults, Chinese electronics company Hangzhou Xiongmai, issued a recall for some of those devices this week. The European Commission is pondering rules requiring device manufacturers to upgrade the security of their products. But with dozens of international companies operating in that market, it may be difficult to stem the threat.
Dyn's analysis provides a fascinating glimpse of how a DDoS unfolds and the challenges in fighting it off. The first attack started at about 7:10 a.m. Eastern time. The second wave began just before 11 a.m. and lasted for more than an hour.
Dyn engineers noticed a surge in incoming data traffic from a large number of disparate sources heralding a DDoS and launched their defenses. "These attacks were successfully mitigated by Dyn's Engineering and Operations teams," Hilton write, "but not before significant impact was felt by our customers and their end users." Users trying to access the affected websites got messages stating that the websites were down.
But that only helped to magnify the attack. Users or computer servers turned away because of the storm of illegitimate data kept trying and retrying, which only increased the torrent of traffic. Because it's hard for the target to "distinguish legitimate traffic from attack traffic," there's no way to let only legitimate users through.
Dyn says it's withholding some information about the attack, which is under investigation by law enforcement agencies. But one reality seeps through its statement: more and bigger attacks are certain to be lurking just over the horizon.