Boy what an interesting day yesterday was! Unless you’ve been on vacation from all forms of electronic communication, you’ve probably heard that on Friday there were widespread reports of major websites like Twitter, Spotify, Amazon, Reddit and PayPal being inaccessible for many users throughout the morning and afternoon. We’ve since learned that the domain management company DYN suffered a massive DDoS (distributed denial of service) cyber attack. DYN provides domain management services to major websites like those mentioned earlier.
So what is a DDoS attack? Let’s talk first about how a typical user accesses a website through their computer via a web browser. When you type in a website name, say for example Google.com, your computer sends a request to Google.com’s web server. From there, the server acknowledges the request and begins to load the website on your computer. These web servers can address multiple requests at once without a huge performance hit, however during a DDoS attack MILLIONS of computers attempt to send requests to a specific server or cluster of servers all at once. As you can imagine, a large volume of web requests all at once can be overwhelming to even the most sophisticated web servers. When this occurs, the servers cannot handle the amount of traffic being flooded by these computers and goes into an inoperable state where no additional requests can be fulfilled. This creates chaos as services that rely on these servers can no longer operate. Below is a visual map of the event that occurred. You can see that many of the DYN servers were clustered in the northeast area of the U.S.
No doubt the issues we saw yesterday were a direct result of an intentional attack on DYN’s servers. You might ask yourself how does a cybercriminal get access to millions of computers to launch a DDoS attack? The following illustration provided by Keycdn.com displays a map of a typical Botnet used in a DDoS attack. A botnet is a network of compromised computers (also called zombie computers) that can be remotely controlled by a bot herder, or the attacker. The bot herder at any time can send a command or list of commands to the zombie computers to carry out. Commonly, zombie computers in a botnet are used to carry out DDoS attacks. The bot herder initiates the zombie computers to flood requests to a specific server or set of servers.
The issue with stopping DDoS attacks from ever occuring is two-fold. First, many of these infected computers are able to participate in botnets without the user ever knowing their computer is compromised. The other issue is that the botnet acts as a buffer between the attack computer and the zombie computers. This can provide a shield for the bot herder to prevent being detected. Within a botnet, there can be several layers of zombie computers in between the victim server and the attack computer.
At this time it’s not believed that any of the sites affected by the DDoS attacks were compromised, however it’s always advisable to consider changing your account passwords if you haven’t within the past year. No doubt DYN along with other internet service providers will be investigating the attack in the coming days. We shall learn more about the attack and if any secondary objectives were achieved during the event.