UPDATED 5:30 p.m. ET Friday with indications that attack may be caused by Mirai Internet of Things botnet.
If you couldn't connect to Twitter, HBO Go or Amazon today (Oct. 21), it was because a single company's servers were being flooded with a massive amount of useless and confusing data requests. Unfortunately, today's attack may be just the beginning.
Credit: Joe Techapanupreeda/Shutterstock
Around 7 a.m. Eastern time, a distributed denial-of-service (DDoS) attack was launched against Dyn, a Manchester, New Hampshire, company that provides Domain Name System (DNS) resolution services for dozens of companies, many of them household names. Dyn's customers weren't directly affected, but people wishing to use those sites or services couldn't reach them. (We'll explain why below.)
We don't yet know who mounted the DDoS attack on Dyn, or how exactly it was carried out. But there are two worst-case scenarios.
It may have been Russian state-sponsored attackers staging a dry run for a more widespread attack on Election Day. Or it may have been apolitical hackers testing out a botnet made up of thousands of infected Internet of Things devices, such as security cameras, home wireless routers and smart TVs.
Either way, the prognosis is dire. IoT botnets recently staged the two largest DDoS attacks ever recorded, and a week or two later, the code for Mirai, the malware behind at least one of the attacks, went public, free for anyone to use. Because many IoT devices are difficult to patch against malware, millions of vulnerable devices will be online for years to come.
The Russian scenario, while a bit less likely, is even worse. A nationwide internet disruption on Election Day 2016 would have at least some effect on reporting of voting results, and could cut off all but telephone communications from various regions.
Estonia suffered similar disruptions caused by Russian hackers in 2007, and the country of Georgia did as well during a brief war with Russia in the summer of 2008. Such an attack on the United States would fit most people's definition of cyberwar, and the U.S. would have no choice but to respond in kind.
Bruce Schneier, a renowned encryption expert, wrote last month that someone had been probing the defenses of the various companies underpinning the structure of the internet. Many of these companies had been getting hit with huge DDoS attacks, right up to the point where the attacked server would start to go offline.
"It doesn't seem like something an activist, criminal, or researcher would do," Schneier wrote. "It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar."
Now to the technical details: DNS servers act as the telephone books of the internet, matching URLs (human readable web addresses) such as "www.amazon.com" with the numerical Internet Protocol (IP) addresses that computers, servers and routers use, such as "188.8.131.52".
When a DNS server is knocked offline, computers looking for specific URLs won't be able to resolve them to specific IP addresses, and the destination web server is unreachable unless you type in the IP address instead of the URL. Unfortunately, most people don't know their favorite websites' IP addresses, and most software programs use URLs instead of IP addresses as well.
Dyn's DNS servers were knocked offline because they were hit with a huge amount of traffic from sources for now unknown. There's only so much traffic a single web server can handle, and even as internet-based companies constantly increase that amount, attackers increase the volume of their attacks to match.
As of 4 p.m. Eastern time Friday, Dyn was still fighting the DDoS attacks, although most of its clients could be reached online. (Some of them may have changed their DNS providers.)
We're eagerly, and with trepidation, awaiting the post-mortem on today's attacks. If it is indeed an IoT botnet, get ready for a lot more of these attacks in the near future. If it is the Russians instead, we can't tell you what might happen.
UPDATE: VICE Motherboard reported that an executive at Level 3 Communications, which maintains much of the internet backbone in the U.S., said in a livestream Friday afternoon that Level 3 was "seeing attacks coming from an Internet of Things botnet that we identified called Mirai."