Amazon, Netflix, and Twitter are Down!

The worst distributed denial of service (DDoS) attack in history took place on Friday, October 21st, 2016. The attack made cyber security history as it took down access to dozens of major websites such as Amazon, Netflix, Reddit, Spotify, and even Twitter.


The map above provides a visual of the Internet outage across the United States. The darker red areas where the most affected by the DDoS attack.

Information security (infosec) analysts have reported that the attack specifically targeted DYN, a major domain name system (DNS) provider in the United States. DNS servers translate the addressing system of the internet to allow discovery of websites and properly route traffic. What this means is that the attack did not actually shut down the offices of Twitter, only the means for many users in the U.S. to access the websites. Spotify users in Latin America, for example, were still able to listen to their music while their peers in the U.S. couldn’t.

DDoS attacks involve creating or rerouting massive amounts of internet traffic that servers are not able to handle. Servers appear to be knocked offline as their bandwidth and processing power succumb to the excess traffic. These attacks have been around since the 1990s and take place all the time; however, the infosec community has been able to mitigate damage.

What made the 10/21 DDoS attack so powerful was that it involved the Internet of Things (IoT), which is the name given to the growing number of internet-connected devices that operate on the machine-to-machine (M2M) protocol. These devices, which range from web cams to DVRs and from smart watches to printers, can be maliciously hijacked and enlisted to become part of a nefarious network called a “botnet.”

The hackers who perpetrated the 10/21 attack conscripted thousands of DVRs, smart cable TV boxes and other IoT devices to bring down DYN. The problem is that these devices are often left unsecured, which means that they connect to the internet with default username and password combinations that hackers are familiar with.

In this particular case, the hackers used a botnet script called Mirai, which scans the IoT for unsecured devices before programming them to send HTTP requests to their intended targets. Infosec analysts believe that default access credentials set by device manufacturers are low barriers to entry for hackers who wish to carry out DDoS attacks via the IoT.

In the beginning infosec researchers believed that the 10/21 DDoS attack was an act of cyber warfare perpetrated by hackers backed by a foreign and adversarial government; upon closer inspection, however, analysts now believe that the attack could have been carried out by novice hackers using commercial-grade scripts. Heavy provided a list of the affected websites:

  1. ActBlue
  2. Amazon
  3. AthenaNet
  4. Basecamp
  5. BlueHost
  6. Box
  7. Braintree
  8. CNN
  9. Credit Karma
  10. DYN
  11. Eventbrite
  12. Etsy
  13. Fox News
  14. Freshbooks
  15. Github
  16. HBO Now
  17. Heroku
  18. Imgur
  19. Indeed
  20. Intercom
  21. Kayak
  22. Netflix
  23. New York Times
  24. NHL
  25. Okta
  26. Pagerduty
  27. Paypal
  28. People
  29. Playstation Network
  30. Qualtrics
  31. Recode
  32. Reddit
  33. Shopify
  34. Soundcloud
  35. SpeedTest
  36. Spotify
  37. Storify
  38. The Verge
  39. Twitter
  40. Weebly
  41. Whatsapp
  42. Wikia
  43. Wired
  44. WSJ
  45. Yelp
  46. Zendesk
  47. Zillow

It is interesting to note that DDoS services can be contracted, which means that hackers can be paid to carry them out against adversaries. Infosec experts believe that the Mirai botnet could be used again to attack smaller targets.