On Friday morning, large swaths of the U.S. experienced a major Internet outage—and it was the kind of large-scale takedown of which security expert Bruce Schneier recently foretold.
The outage, which appears to have mainly affected the U.S. and predominantly the East coast, began at around 7:10 a.m. ET on Friday. Among the sites that suffered were Twitter, Reddit, Spotify, the New York Times, and even our own. (Update: A second attack hit Dyn at 11:52 a.m. ET. It is working to resolve the issue.)
It appears to have been caused by a large distributed denial of service (DDoS) attack leveled at the servers of the domain name system (DNS) host Dyn. A DDoS attack typically overwhelms a server with data requests in order to prevent normal users from having their own queries answered. The DNS is a large database that, among other things, converts a simple domain name into a more complex IP address from which data can be retrieved. Taking down a DNS server means that a user’s browser can’t use it to resolve which IP address to fetch the files of a Web page from.
Dyn appears to have responded to the outage quickly, mitigating the attack and restoring the function of its DNS records in around two hours. But during that time many users found it impossible to load some pages and site traffic fell dramatically.
DDoS attacks are nothing new. But Schneier has pointed out that they could soon become increasingly problematic. “Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them,” he explained in a blog post. “These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated.”
In fact, Schneier pointed out last month that a new wave of attacks also seems to be more investigative than previous DDoS assaults. Many of the attacks appear to be testing servers rather than taking them offline, by gradually increasing barrages of requests at one part of the server to see what it can withstand, then moving on to another, and another. Schneier warned that “someone is learning how to take down the Internet.”
The Dyn attack was clearly more than a test, and its severity certainly fits with Schneier’s hypothesis that someone, somewhere is trying to learn how to cause widespread disruption. The question of who is behind attacks like this, though, remains unanswered. Criminals are unlikely to be motivated by such attacks, as there’s little to gain from them other than widespread disruption. That lends some weight to Schneier’s suggestion that a large nation state, such as China or Russia, could be developing large-scale DDoS capabilities. Though it’s impossible to say for sure.
The good news is that the DNS is by definition a distributed database: copies of the same information can be found across the Internet. That makes it fairly robust. But as the Dyn incident reveals, it still takes time for DNS hosts to recover from attacks. If hackers were to take down several servers at once, the effect could be even more pronounced—a threat that could yet be realized.