New kind of DDoS attack takes out major sites like Netflix and Twitter for millions of Americans — and confirms worst fears about hackers' ability to hijack security cameras and other "internet of things" devices.
The FBI and US Department of Homeland Security are investigating a cyber attack that hit the US Saturday NZT, inhibiting the ability of millions of Americans to access major internet sites and services such as Twitter, SoundCloud, Spotify, iHeartRadio and Netflix.
The attack also fleetingly hit Kiwis, with Twitter unable to load images for New Zealand users for a brief period on Saturday morning as the so-called "internet of things" was hijacked en masse in a new style of internet attack.
A number of pundits, including CNN and Fox News contributor Jim Geraghty, have speculated it could have been a dress-rehearsal for an Election Day attack.
While most voting is manual and in-person, a number of states now allow online voting for Americans offshore on election day, or in the month running up to the November 8 ballot (many states also allow early voting from up to 30 days out; a handy service given the election is always on the first Tuesday in November, a workday. As of today, more than five million have voted). US troops stationed overseas can also vote electronically. And, of course, it would cause election day chaos if the compilation of results was delayed by internet outages.
Saturday's attack was also notable for being a new kind of cyber assault.
On one level it was familiar in that it was a DDoS (distributed denial of service) attack, used to overwhelm a service with connection attempts by automated "bots" so regular users of a site find it hard or impossible to access.
Whoever behind the attack was savvy in that they targeted Dyn, a major domain name system provider. DNS providers are like the switchboard of the internet, and zeroing in on Dyn was a clever way to disrupt access hundreds of sites and services at once, particularly for people in the northeast of the US. But again, that was not unique.
What set this attack apart was that DDoS attacks have historically relied on hijacking thousands of people's desktop and laptop computers, then using them as staging posts for a co-ordinated effort to swamp a website or service provider.
Saturday's effort was one of the first major DDoS attacks to utilise, in part, internet-connected gadgets – that is, anything from a security camera to a home wi-fi router to a smart power meter that has its own IP (internet protocol) address. Security expert Daniel Ayers points out it was not the first, however. "The 630Gbit/s DDos attack on Brian Krebs a few weeks ago exploited IoT [the "internet of things"] and analysis suggests that followKrebshe krebs attack the source code for that botnet was released and has been used in copycat attacks, including Dyn," he tells NBR.
Often lax security around connected gadgets has been a recurring theme for security analysts recently as the "internet of things" proliferated. Now, the general public has had a wake-up call.
On the plus side, the attack also showed, once again, the resilience of the internet's distributed architecture, which means there is no central point for hackers (or malicious governments) to target. Although tens of millions of IP addresses were hijacked in new and complex fashion, the attack was still repelled within hours.
Fingers have been pointed at China and Russia but so far no strong evidence has emerged of what group, or government, was been the attack.
