Skip to main content

How an army of vulnerable gadgets took down the web today

How an army of vulnerable gadgets took down the web today


Malware known as Mirai is targeting the smart home

Share this story

At some point this morning, one of the US’s critical internet infrastructure players was hit with a staggering distributed denial of service (DDoS) attack that has taken out huge swaths of the web. Sites like Twitter, Netflix, Spotify, Reddit, and many others — all clients of a domain registration service provider called Dyn — have suffered crippling interruptions and, in some cases, blanket outages.

Details are now emerging about the nature of the attack. It appears the cause is what’s known as a Mirai-based IoT botnet, according to security journalist Brian Krebs, who cited cyber-threat intelligence firm Flashpoint. Dyn’s chief strategy officer Kyle Owen, who spoke with reporters this afternoon, later confirmed Flashpoint’s claim, revealing that traffic to its servers was clogged with malicious requests from tens of millions of IP addresses in what the company is calling a "very sophisticated and complex attack."

Today’s DDoS attack can be linked to the Internet of Things

A Mirai botnet essentially takes advantage of the vulnerable security of Internet of Things devices, meaning any smart home gadget or connected device anywhere that has weak login credentials. Mirai, a piece of malware, works by scanning the internet for those devices that still have factory default or static username and password combinations. It then takes control of those devices, turning them into bots that can then be wielded as part of a kind of army to overload networks and servers with nonsense requests that slow speeds or even incite total shutdowns.

So by wielding a botnet against Dyn, the perpetrator of this particular DDoS attack has been able to target one of the largest pieces of online infrastructure in the country and take down dozens upon dozens of sites. Dyn manages what is known as a domain name system (DNS) service, which is how computers translate a web address into the correct numeric machine code corresponding to a given website. The Department of Homeland Security is now looking into the attack, considering how critical a DNS interruption like this one is to internet use around the country.

The Mirai software is freely available on the internet, meaning any hacker state-sponsored or otherwise could be behind today’s DDoS. A user going by the name of "Anna-senpai" uploaded the Mirai source code to English-language site Hackerforums. The hacker’s own words appear to suggest he or she leaked the code because security experts were beginning to defend against it. "I made my money, there’s lots of eyes looking at IoT now, so it’s time to GTFO [link added]," Anna-senpai wrote. Before doing so, a Mirai-based botnet attack even targeted Krebs’ own security blog, failing to bring it down but nonetheless mounting a historically large DDoS attack.

The Mirai source code was leaked on the internet

Krebs suggested the act of leaking the source code was intended to throw off the trace for any federal investigators. "It’s an open question why Anna-senpai released the source code for Mirai," he wrote earlier this month. "But it’s unlikely to have been an altruistic gesture: Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home."

However, with Mirai out there for anyone to use, the threat of an IoT botnet attack is now significant. "My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth," Krebs wrote. "On the bright side, if that happens it may help to lessen the number of vulnerable systems."

Until then, dozens of internet companies and tens of millions of users are reeling from the attack. It may take Dyn many hours to remedy all the issues; as of 4:15PM ET today, the company is still "continuing to investigate and mitigate several attacks aimed against the Dyn Managed DNS infrastructure" after a second attack appeared to take place around 12:30PM ET. According to CNBC, a third DDoS attack on Dyn is now underway.