This week, two major stories that have been building for several weeks seem to have come together to create an Internet Perfect Storm, resulting in many major websites and services coming to their knees on Friday. The first of these stories we have been following here in the office for over a month: a report that a botnet made up of infected IoT devices could be ready to activate a massive DDoS attack at any moment.
An alert published by the US Computer Emergency Readiness Team cited security sources that had discovered a Trojan released to recruit IoT devices into the Mirai botnet, the most infamous modern systems, as well as other less powerful collections. This alert was based on research conducted by Brian Krebs, a security expert whose blog was attacked by this botnet, and his evidence suggested that over a half million of the devices involved were IoT devices. According to the alert,
The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders. Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.
Now, with those devices in place and ready for another attack, all that was required was a reason. That is where our second story comes in. Earlier this week, Julian Assange, the founder of WikiLeaks, who has been residing within the Ecuadorian embassy in London for the past five years, announced that his internet access had been severed by a "state party." Shortly after, a trio of tweets containing encoded data were posted, suggesting to many that a "dead man's switch" may have been activated, suggesting that Assange had been assassinated. WikiLeaks had no statement on the status of Assange.
The organization has given evidence that US Secretary of State John Kerry was responsible for demanding that Ecuador cut Assange's internet access to prevent WikiLeaks from tampering in the US election. Shortly after, Ecuadorian officials confirmed that this was indeed what they did, though they denied that their actions were at the instruction of US officials. This is where the two stories get intertwined and the internet seemingly ended for a few hours.
On Friday morning, the IoT-powered botnet was triggered and against a high-profile target, but one you might have never heard of. Dyn, or previously known as Dyn DNS, is a domain name service used by large and small companies alike. In the past, this company has sponsored our CES coverage. For individuals, the company provides the ability to name your home connection so that you can use remote desktop or VPN against an ever-changing IP address.
For large companies, Dyn provides the service that allows you to go to Spotify.com and that name is routed to their various web and service servers al over the internet. While this is a nice convenience, it does provide for a single point of failure. And, since Dyn is one of the largest providers of enterprise DNS services, it provides a very large single point of failure. By striking Dyn, the botnet was capable of taking down a large number of services, many of which are listed at the end of this article.
As a result of the attack, WikiLeaks responded on Twitter, stating,
Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point.
First, this was the initial confirmation that Assange was still alive, an important piece of information needed to try to end the botnet. Second, recognizing that they accomplished something was an important piece. As a result, the attacks stopped - at least for a little while. In fact, there were 3 individual waves of attack. The first 2 seemed to end on their own, while the third ended because of the actions of Dyn. Likely they contracted with a DDoS overflow support company - a pretty common behavior.
Today, the internet seems to be back up and running, thankfully. Either Dyn was successful or WikiLeaks was - either way I am thankful that Netflix is fully functional again.
Hit the break to see the list of known services affected.