The worst distributed denial of service (DDoS) attack in history took place on Friday, October 21st, 2016. The attack made cyber security history as it took down access to dozens of major websites such as Amazon, Netflix, Reddit, Spotify, and even Twitter.
The map above provides a visual of the Internet outage across the United States. The darker red areas where the most affected by the DDoS attack.
Information security (infosec) analysts have reported that the attack specifically targeted DYN, a major domain name system (DNS) provider in the United States. DNS servers translate the addressing system of the internet to allow discovery of websites and properly route traffic. What this means is that the attack did not actually shut down the offices of Twitter, only the means for many users in the U.S. to access the websites. Spotify users in Latin America, for example, were still able to listen to their music while their peers in the U.S. couldn’t.
DDoS attacks involve creating or rerouting massive amounts of internet traffic that servers are not able to handle. Servers appear to be knocked offline as their bandwidth and processing power succumb to the excess traffic. These attacks have been around since the 1990s and take place all the time; however, the infosec community has been able to mitigate damage.
What made the 10/21 DDoS attack so powerful was that it involved the Internet of Things (IoT), which is the name given to the growing number of internet-connected devices that operate on the machine-to-machine (M2M) protocol. These devices, which range from web cams to DVRs and from smart watches to printers, can be maliciously hijacked and enlisted to become part of a nefarious network called a “botnet.”
The hackers who perpetrated the 10/21 attack conscripted thousands of DVRs, smart cable TV boxes and other IoT devices to bring down DYN. The problem is that these devices are often left unsecured, which means that they connect to the internet with default username and password combinations that hackers are familiar with.
In this particular case, the hackers used a botnet script called Mirai, which scans the IoT for unsecured devices before programming them to send HTTP requests to their intended targets. Infosec analysts believe that default access credentials set by device manufacturers are low barriers to entry for hackers who wish to carry out DDoS attacks via the IoT.
In the beginning infosec researchers believed that the 10/21 DDoS attack was an act of cyber warfare perpetrated by hackers backed by a foreign and adversarial government; upon closer inspection, however, analysts now believe that the attack could have been carried out by novice hackers using commercial-grade scripts. Heavy provided a list of the affected websites:
- Credit Karma
- Fox News
- HBO Now
- New York Times
- Playstation Network
- The Verge
It is interesting to note that DDoS services can be contracted, which means that hackers can be paid to carry them out against adversaries. Infosec experts believe that the Mirai botnet could be used again to attack smaller targets.