© Steve Marcus / Reuters
An attack on a major DNS service provider literally broke the internet Friday, impacting more than 80 popular websites, including PayPal, Reddit and Twitter. Here’s how a group of hackers is suspected to have pulled off the takedown.
A myriad of websites were unavailable Friday as three separate distributed denial of service (DDoS) attacks on a major internet server blocked service to heavily trafficked websites such as Pinterest, Spotify and the New York Times.
The first attack on the New Hampshire-based server occurred Friday morning, but Dyn DNS Company managed to resolve the issue within a few hours. However, a second attack began in the early afternoon followed by a third. It was not until 6:30 p.m. Eastern Time that all had been resolved.
How did a series of cyber-attacks manage to bring large swathes of the internet to its knees?
To understand why everyone’s favorite sites were unavailable Friday, it’s important to understand the nature of a Domain Name Server (DNS). Imagine a DNS as a telephone operator from the 1950s. By typing in a website’s name, you are asking the DNS to connect you to a specific server.
When an army made up of botnets uses Wi-Fi routers, computers and other devices connected to the internet to create a network that can operate malware without the owner’s knowledge, they overwhelm a DNS server with requests that appear to be normal, so a system like Dyn’s struggles to filter them out.
“They’re tough attacks to stop because they often get channeled through recursive providers. They’re not cacheable because of the random prefix,” Matthew Prince, co-founder and CEO of the content delivery and DDoS protection service provider CloudFlare explained to Ars Technica. When they generate requests, they attach random text to the front of domain names – which is how they appear to be unique requests.
These requests pour in by the tens of millions. Like any operator receiving millions of requests at once, Dyn’s DNS broke down.
Another part of the issue is the kind of malware used in the attack. Internet of Things devices were targeted and that covers anything with an internet connection. This includes everything from a standard computer to cellphones to Google Home to video cameras. In fact, the Prodigo Espresso maker relies on Internet of Things (IoT) technology. Therefore, a fancy coffee maker could have been partially responsible for putting a pause on Spotify.
It certainly doesn’t help that the source code for a vicious type of malware was released on the dark web earlier this month. Known as Mirai, it spreads to IoT devices by scanning the internet for vulnerable devices that are seeded with malicious software. Once that software is in, an Espresso maker or other IoT appliance can become a central control server for a DDoS attack, according to Krebs on Security.
Is this a hack?
Not exactly. While some companies that handle money transfers, such as PayPal and Amazon, were affected, there is currently no evidence that any information was breached. PayPal told Reuters that its networks had not been hacked.
Who’s behind these attacks?
This is a good question that many are scrambling to answer. New World Hackers has claimed responsibility for the attack, according to activist and web consultant Gissur Simonarson. The shadowy group has prided themselves on their DDoS attacks, such as one that took the BBC’s website down last year.
This is the group taking responsibility for today’s DDoS attacks.https://twitter.com/NewWorldHacking/status/789506751557201920 …
In an interview with Anon Intel Group, a representative of New World Hackers claimed the attack was “an annual power test,” and “this is actually against Russia. Testing power is the key. Like that we see how much bandwidth each attack outputs…”
They claim that Friday’s attack was something of a warning shot to Russian hackers, saying: “Russia is pretty much saying they are better than the US by hacking into everything, attempting to start a war. We will show them a war.”
The attacks came from all around the world, and both the FBI and Department of Homeland Security have said they were investigating, Reuters reported. The member of New World Hackers told Anon Intel: “We don’t want federal agents on our ass. That’s why we are in Russia.”
WikiLeaks claimed its supporters were involved, tweeting out, “We ask supporters to stop taking down the US internet. You proved your point.”
Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point.
2:09 PM – 21 Oct 2016
If New World Hackers is indeed behind the attack, then it was unlikely to have been in the name of aiding WikiLeaks. The Twitter account for New World Hackers told Simonarson: “WikiLeaks and Russia are kind of iffy. Sometimes we are friends, sometimes not. Overall, we are just against Russia because they are against the US.”
Spoke with @NewWorldHacking about the DDoS attacks. They say attack is a test of attack power. Their main enemy is Russia.
2:57 PM – 21 Oct 2016
Is this a one-off occurrence?
There’s no way to predict the future, but it is safe to assume that this will happen again. While this is the largest attack, if New World Hackers makes good on their promises to attack other countries it will likely happen again.