Connected gadgets blamed as Internet recovers from Friday attack

LONDON — Vulnerable Internet-connected devices such as cameras and digital video recorders may be to blame for the attack that took down some of the world’s most popular websites on Friday.

Malware that targets the “Internet of Things”, a new breed of small gadgets that are connected to the Internet, may have powered the global attack, according to Mr Brian Krebs, a well-known journalist covering computer security. Poorly secured devices may have been compromised and turned into a “botnet” that powered the attack, he wrote.

Millions of Internet users lost access to some of the world’s most popular websites on Friday as hackers hammered servers along the US East Coast with phony traffic until they crashed, then moved westward. The attackers hit Dyn, a provider of Domain Name System services, taking down sites including Twitter, Spotify, Reddit, CNN, Etsy and The New York Times for long periods of time. By Friday evening, Dyn said it had stopped the hacks.

“As you can imagine, it has been a crazy day,” Dyn spokesman Adam Coughlin wrote in an email. “At this moment (knock on wood), service has been restored.”

Security professionals have been anticipating more attacks from malware that targets the “Internet of Things” since a hacker released software code that powers such malware, called Mirai, several weeks ago. Mr Kyle York, chief strategy officer of Dyn, said the hackers launched a so-called distributed denial-of-service (DDoS) attack using “tens of millions” of malware-infected devices connected to the Internet.

Ms Gillian Christensen, a spokeswoman for the US Department of Homeland Security, said the agency and the FBI are aware of the incidents and “investigating all potential causes”.

Dyn first reported site outages relating to the DDoS attack about 7.10am (New York time) on Friday. The company restored service two hours later, but was offline again about noon, as another attack appeared to be under way, this time affecting the West Coast as well.

While DDoS attacks do not steal anything, they create havoc across the Internet — and are on the increase in volume and power.

Sites as far away as Australia were affected by a second wave of attacks th at began about 1am (Sydney time) on Saturday and lasted about five hours, said Mr Dave Anderson, a London-based vice-president of marketing at Dynatrace, which monitors the performance of websites.

At the peak of the attack, the average DNS connect times for 2,000 websites monitored by Dynatrace went to about 16 seconds from 500 milliseconds normally.

“I have never seen severity this big, impacting so many sites and lasting such a prolonged period of time,” said Mr Anderson in an interview. “It just shows how vulnerable and interconnected the world is, and when something happens in one region, it impacts every other region.”

Dynatrace’s analytics are not able to trace the source of the attacks, said Mr Anderson.

Earlier on Friday in the US, Mr Krebs wrote that the timing of the attacks corresponded with the release of research conducted by Dyn’s director of Internet analysis. Dyn highlighted potential connections between firms that offer to protect against DDoS attacks, and the hackers who conduct them. Mr Krebs’s own website faced an “extremely large and unusual” DDoS attack after he published a story based on the same research, he said.

“We can’t confirm or even speculate on anyone’s motivation or relation to that research,” said Mr Dave Allen, Dyn’s general counsel.

With attacks on the Internet’s Domain Name System (DNS), hackers compromise the underlying technology that governs how the Web functions, making the hack far more powerful and widespread.

The DNS translates website names into the Internet Protocol addresses that computers use to look up and access sites. But it has a design flaw: Sending a routine data request to a DNS server from one computer, the hacker can trick the system into sending a monster file of IP addresses back to the intended target. Multiply that by tens of thousands of computers under the hackers’ control, and the wall of data that flooded back was enormous. A small server may be capable of handling hundreds of simultaneous requests, but thousands every minute cause overload and ultimately shut it down, taking the websites it hosts offline with it.

The practice is often employed by groups of hackers. In 2012,a DDoS attack forced offline the websites of Bank of America, JPMorgan Chase & Co, Citigroup, Wells Fargo & Co, US Bancorp and PNC Financial Services Group.

A DDoS can be achieved in a number of ways but commonly involves a distributed network of so-called “zombie” machines, referred to as botnets. A botnet is formed with computers and other connected devices in homes or offices infected with malicious code, which, upon the request of a hacker, can flood a web server with data. One or two machines would not be an issue, but if tens or hundreds of thousands fire such data simultaneously, it can cripple even the most sophisticated web servers.

In the case of the Dyn incident, the computers targeted were DNS servers. Without a DNS server, large numbers of websites are inaccessible by users across a country or even the world. In other words, taking away the DNS servers is like taking away all the road signs on a country’s highway system.

So-called “authoritative” DNS providers such as Dyn are notoriously hard to secure. Mr Carl Herberger, vice-president for security solutions at Radware, an Israeli-based Internet security company, likens “authoritative” DNS providers to hospitals that must admit anyone who shows up at the emergency room. Dyn must consider traffic going to a website as initially legitimate. In the event of a DDoS, Dyn must work quickly to sort out the bad traffic from the good, which takes time and resources, and creates outages that ripple across the Internet, as was the case on Friday.

Mr Dave Palmer, director of technology at UK cyber-security company Darktrace, said the most recent DDoS attacks have been linked to Internet-of-Things devices, in particular, webcams.

“The joke about the Internet of Things was that you were going to get people hijacking people’s connected fridges to conduct these attacks, but in these recent cases, the culprit seems to be webcams,” said Mr Palmer. “We will probably see, when this is investigated, that it is a botnet of the Internet of Things.”

To avoid massive outages, companies ramp up their capacity to try to absorb the deluge of traffic and reroute it, often with the help of a major telecommunications carrier or cloud-services provider such as Akamai Technologies or CloudFlare. But the only way to really prevent denial-of-service attacks may be to increase the overall security level of consumers around the world, said Mr Palmer, a task that is getting harder as more devices are connected to the Internet.

“This is exactly what happens when tens of thousands or hundreds of thousands of devices are left unprotected,” said Mr Palmer. Bloomberg