Thursday, 20 October, seemed like an ordinary day for many people. Waking up, getting the kids off to school, and driving to work all went like any other day. But once anyone tried to use the internet for anything, something seemed a bit off. Twitter was pretty much down all morning and a lot of email simply stopped flowing. Placing orders at companies was simply not working. Everything was at least … slow.
This was the day the largest yet Distributed Denial of Service (DDoS) attack took place. The target appears to be Dyn, the company that provides instructions for routing traffic around the ‘net to keep it moving. But the exact target and who was doing the targeting remains a mystery. The attack actually continues, allbeit contained for now.
In order to understand today’s news and get a sense of what tomorrow’s news might be this attack is worth examining in what little detail we can muster. This is all far from over.
A typical DDoS attack comes from computers linked to the internet which have been turned into “zombies” of a sort, constantly sending otherwise innocent requests to one site in order to over-load it and thus bring it down. It is a brute force approach that always works best with the maximum number of machines turned into zombie troops for the battle, usually via infection with a simple virus.
Two things were unique about this attack. The first is that the zombie machines pressed into service were not computers in the ordinary sense but the “BotNet”, or legions of smart devices connected to the internet with limited capabilities. Many of them, such as CCD cameras that send out constant surveillance, come from the factory with pre-set passwords which cannot be changed. There are millions of devices like this which were used to send simple requests over and over in a flood of traffic which reached one terabit (a million megabits) per second. That’s probably 1,000 times more than your internet connection if you have a very fast one.
The second thing that was unique was the target. It wasn’t a small operation which would have been easily humbled by this flow of requests. It appears that the target was Dyn, which is the company which handles the Domain Name Servers (DNS) or lists of how to find servers that have the information any machine is requesting. Dyn was overwhelmed by the requests, meaning that the simple act of switching from one Netflix server to the other became impossible, bringing down Netflix – along with any company that relies on multiple servers.
Then again, it’s not clear that Dyn was the target after all. They are certainly a key part of the internet backbone, but there has been increasing speculation that the real attack was on Level 3 Communications, which is the company that owns and operates the main fiber optic backbone that comprises the internet as we know it. The outage maps which have been published came from Level 3 and they are still operating with something like “rolling brownouts” throughout the system.
Why would anyone do this?
Naturally, it’s entirely possible that this was a prank gone crazy, like any hacker trick. But it seems that it was not. About 10% of the BotNet was involved in this attack, meaning that there are additional forces which can be brought to bear if needed. The attack also centered on one small section of the internet, which was the Level 3 and Dyn operations in and around New York. It has the feeling of being a “probe”, or a small frontal assault on the defenses for the purpose of testing them.
The nature of Dyn’s defenses was http://dyn.com/blog/ddos-mitigation-inside-dyns-internet-performance-management-approach/published in an article on the company’s website last July. The short version was that in the event of an attack like this everything is cut off and services restored slowly as they can be without the system being overloaded. It largely worked. Could it be that hackers were merely testing Dyn, or even warning them to not be too cocky about their precautions?
The nature of the attack leaves this possibility open, certainly, but there is at least a chance that something more sinister is at work. A classic military style operation in internet space would work pretty much as this one is. A probe on the center to gain information with a small force is then followed up by a flanking attack on any weak places discovered shortly after. When? It’s worth noting that the US has a highly contentious election coming up shortly and the timing is highly suspect.
It’s probably best to not jump to that conclusion right away, of course. But without knowing just what is up all planners do have to take into account the potential “worst case scenario” – and that would be it. It’s important to note that for all the chaos last Thursday nothing in the “real world” failed and the internet itself never really collapsed from this attack.
But if it did collapse, and stayed down for a few days? Pentagon planners are worried that at some point essential services such as electricity and water start to fail because they rely on internet communications to stay in operation. The inter-connectivity of our world is indeed a weakness to anyone with the tools to exploit it.
Who would do such a thing? It’s worth noting that Russian hackers have been extremely active lately, as has all of the Russian military. The fleet sailed through the English Channel very close to the UK, planes have flown very close to Finland, and short range nuclear weapons have been moved to Kaliningrad, within striking distance of Berlin. Provocations have been put into place nearly everywhere. Has the same Russian military used it’s hacking arm to launch a war, of a kind?
They even told their diplomats to fly their families home from embassies all around the world.
Nothing is clear at this point, and it’s always best to not connect dots which should not be connected. However, a healthy news diet today should include a lot of information about Russian moves all around the world.
Did they direct a military style attack on our internet? Is the worst yet to come? Given that we do not know exactly what happened yet and we know there are more soldiers out there waiting to be recruited for this fight it is worth watching.
Today’s news is that the internet’s very heart and backbone are indeed under attack. It’s only a matter of who is doing it and whether or not it will step up. If it does increase just in time for 8 November we will have a pretty good idea who is behind it all. We can only hope that Dyn and Level 3 continue to perform as well as they have so far.
This went unnoticed by me, as everything I did on the internet seemed to work fine on Thursday, but I have since read about it. Frightening. Ever read “One Second After” by William Forstchen? Thanks for the good information, Erik!
I have not read that – I will check it out, thanks!
This post is all about my usual routine, which is to be all about context. The reports I’ve seen so far have been really thin on context such as how the systems work, etc.
My big concern, however, is that the “Russian Context” is easily over-played without any evidence. As many of you know I am a major Putinophobe and will blame him for just about anything this side of inclement weather. So take it all with a grain of salt.
But someone did this, we know, and it does look like it is targeting the center of the US internet. The odds of it being a real strike on the nation are pretty high. Russians? Can’t say yet. But who else is a suspect?
Who else but Russia could pull this off?
It’s entirely possible that these cameras on the BotNet were far too easy to hack. No one changes the password on them, for one thing. We shouldn’t jump to conclusions – but we also should not let our guard down as this attack is still underway.
It may be only one kind of CCD camera. They are being recalled because of this. https://techcrunch.com/2016/10/24/webcams-involved-in-dyn-ddos-attack-recalled/
Very good find, thank you!
I wouldn’t put anything past Putin but why would he launch an attack now? To say “influence the election” is one thing but I would think this would make people more want to vote for Hillary than Donald.
If Clinton is essentially the incumbent the goal is to embarrass the administration. It may require some follow-up.
There is also the possibility of real damage to the infrastructure which winds up suppressing turnout, thus favoring Republicans, but I would put the odds of that happening at less than 1 in a million. Still, if the Russians think it’s higher they might act.
I agree that while it’s might suspicious against Putin it really doesn’t look like anything that’s going to work to any real degree. So this may be a measure of this desperation, which frankly I think is what we are seeing in all the other actions.
Keep in mind that at $50/bbl oil prices are so low that Russia is running out of money fast.