Cyber attack on DNS provider disrupts some of the internet’s biggest sites

A distributed denial of service (DDoS) attack on a major DNS provider brought many of the internet's biggest sites down last week.

A series of attacks on Dyn on Friday affected the availability of major websites and services including Amazon, Spotify, Netflix, Twitter, Reddit, Github and Etsy.

The DDoS attacks, which focused on the organisation's US East Coast name servers, led to slow responses to DNS queries and in some cases outages.

It is believed that the attacks were launched using large numbers of hacked Internet of Things devices in a similar way to the DDoS attack that took down Krebs on Security.

"The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations," Dyn said in a statement.

"We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks was devices infected by the Mirai botnet.

"We observed tens of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack."

Although the attack centred on the firm’s US East Coast servers, experts said the knock-on effects were felt on websites around the world, including in the UK.

“While not as severe as the US, UK sites were definitely experiencing performance problems as a result of the DDoS attacks overnight,” said Dave Anderson, marketing VP at Dynatrace.

“The majority rely on content served from US data centres, and this impacted site performance locally. Users would experience a slow load site, broken components and possibly a complete outage. Of the sites we’ve monitored, we can see that the average DNS connect time spiked to about 15 seconds, when normally it would average 300 milliseconds.

“We’ve not seen an outage like this impact so many sites globally. It’s a wake-up call for everyone with an online presence. You’re on 24 hours a day and these performance issues will be part of the daily digital life ongoing.”

Daniel Miessler, practice director of advisory services at IOActive, said reports the internet had been “hacked” were misleading, and explained that the attackers were likely seeking out weak spots to cause disruption.

“The likely strategy for any actor with sufficient patience, resources and skill would be to compile lists of these critical providers and attempt to map the dependencies between them,” he said. “From there, determining which groups of them – if taken offline – could cause a cascading fault that affects as much of the internet as possible.

“If you think of the internet as a city, shutting down targeted transport networks and infrastructure would be enough to disrupt designated areas, which may have a strong bearing on how the city operates, for example power stations, government buildings and hospitals.

“There is no single kill switch. Rather, an interlinked set of dependencies, which, if pushed in just the right way, could cause a significant outage.”

Cyber security expert Bruce Schneier recently warned that a nation state was apparently learning how to take down the internet by launching DDoS attacks to test the defences of companies that run some of its critical infrastructure.

“It reminds me of the US’s Cold War programme of flying high-altitude planes over the Soviet Union to force their air defence systems to turn on, to map their capabilities,” he wrote.



Get our latest features in your inbox

Join our community of business leaders