On Friday, October 21, many internet users in the Eastern US, along with users in Southern Ontario and a variety of other locations, found themselves unable to access many large and important websites. Among the many sites affected were Twitter, SoundCloud, Spotify, reddit, GitHub, and the New York Times. This issue was caused by an ambitious distributed denial of service (DDoS) attack that targeted a piece of critical internet infrastructure called DNS.

DDoS

A DoS or “denial of service” attack is a malicious activity where someone attempts to prevent access to a specific website or other web service. They cause this “denial of service” by sending many illegitimate requests to the server that is hosting the website. The server is unable to accommodate the large number of requests, and can either crash or be sluggish in responding to any legitimate requests it receives.

A DDoS attack is like a DoS attack except that, instead of sending all the illegitimate requests from one or a few computers, the requests are sent from many devices. These devices are typically in a botnet, which is a network of malware-infected computers established to perform tasks like participate in DDoS attacks or send spam emails. The advantage of a DDoS attack over a DoS attack is that it is harder to mitigate; whereas the many requests being sent by a few computers can be easily identified and blocked, it is much harder to discern the real requests from the fake ones when a small number of requests are being sent from many sources.

DNS

Most DDoS attacks target one website. That website is hosted on a webserver, so that server will suffer from the attack. This means that only the target site and any other websites on the same server will be affected. Furthermore, large internet services like Twitter and Reddit do not have all their information stored on one server, so targeting one webserver would not affect them as much as a small site. However, this recent DDoS attack didn’t target a webserver; it targeted a DNS server run by Dyn Inc.

DNS (domain name system) servers are critical internet infrastructure that translates URLs, like iwarrior.uwaterloo.ca, to IP addresses, like 129.97.50.135. The URL is much easier to remember for humans, but the IP address contains the actual “address” that allows a computer to find the appropriate server to connect to for the information it wants. Unfortunately, the IP address associated with a URL can change and new websites are always being created, so it is impossible to know the IP address associated with a URL. To resolve this issue, a DNS server is used. Whenever a computer needs to find a resource from a URL, it approaches its primary DNS server to request the corresponding IP address. That DNS server may know the proper IP address and respond, or it may forward the request to another server that is more likely to know the association.

From the perspective of a website creator, for users to access their site, the creator need to get their URL-IP address association into the DNS servers. Dyn, the company targeted in this attack, offered a “managed DNS” service. This service allows other internet companies to quickly and easily update Dyn’s DNS records to show the proper associations. Any DNS server that received a request for a website could forward the request to Dyn’s server, which would respond with the most up-to-date information.

When the DDoS attack targeted Dyn’s server, they flooded it with excessive numbers of DNS requests. The server was so overloaded that it couldn’t handle all the requests; many legitimate users could not reach the service they were seeking because they could not find the IP address they required.

It is important to note that the services affected by the attack were not actually having any issues. Some people who had manually changed their primary DNS server—for instance to those offered by Google or OpenDNS—reported no problems because their DNS server had the information they required locally, and did not have to forward the request to Dyn.

Mirai and the Internet of Things

The attack on Dyn was performed using a botnet made up of Internet of Things (IoT) devices. These devices are the “smart” devices such as web-accessible CCTV cameras and DVRs. According to TechCrunch.com: “IoT devices are cheaply manufactured and notoriously insecure, making them easy to compromise.” For example, some of the devices used in the attack were CCTVs owned by the internet security company Flashpoint. The multitude of unsecure devices allow malicious individuals to make huge botnets and perform DDoS attacks on larger scales than previously seen.

Part of the growth of IoT-based botnets is because of a piece of malware called Mirai. Mirai infects Linux systems, turning them into bots in a botnet. This botnet is then used to search the internet for weakly-secured IoT devices. When one is found, the Linux bot attempts to take control of the device by inputting the default login credentials. If the credentials have not been changed, the bot gains access to the device, infecting it with malware that allows it to participate in DDoS attacks.

Mirai-based botnets have been used in a variety of very large DDoS attacks recently. For instance, the website of security journalist Brian Krebs was overloaded with an unprecedented 630 Gbps (Gigabits per second) attack. That was quickly superseded by a 1000 Gbps attack on a French firm named OVH. Unfortunate, the source code for Mirai was recently published online, meaning that the techniques it uses are now being incorporated into other pieces of malware.

Web security is an ever-evolving issue. The growing number of IoT devices is creating a growing pool of resources for botnets to draw from. Security researchers continue to attempt to discriminate between legitimate and illegitimate web traffic during DDoS attacks. It is not a battle that is ever going to be over, and one that is sure to cause more inconvenience and disturbance in the future.