Could millions of connected cameras, thermostats and kids' toys bring
the internet to its knees? It's beginning to look that way.
On
Friday, epic cyber attacks crippled a major internet firm, repeatedly
disrupting the availability of popular websites across the United
States.
The hacker group claiming responsibility says that the day's
antics were just a dry run and that it has its sights set on a much
bigger target.
And the attackers now have a secret weapon in the
increasing array of internet-enabled household devices they can subvert
and use to wreak havoc.
Meet the fire hose
Manchester,
New Hampshire-based Dyn said its server infrastructure was hit by
distributed denial-of-service, or DDoS, attacks.
These work by
overwhelming targeted machines with junk data traffic sort of like
knocking someone over by blasting them with a fire hose.
The
attack temporarily blocked some access to popular websites from across
America and Europe such as Twitter, Netflix and PayPal.
Jason
Read, founder of the internet performance monitoring firm CloudHarmony,
owned by Gartner, said his company tracked a half-hour-long disruption
early Friday affecting access to many sites from the East Coast. A
second attack later in the day spread disruption to the West Coast as
well as some users in Europe.
Members of a shadowy hacker group
that calls itself New World Hackers claimed responsibility for the
attack via Twitter, though that claim could not be verified.
They said
they organised networks of connected devices to create a massive botnet
that threw a monstrous 1.2 trillion bits of data every second at Dyn's
servers. Dyn officials wouldn't confirm the figure during a conference
call later Friday with reporters.
Make that, many fire hoses
DDoS
attacks have been growing in frequency and size in recent months. But
if the hackers' claims are true, Friday's attacks take DDoS to a new
level. According to a report from the cybersecurity firm Verisign, the
largest DDoS attack perpetrated during that second quarter of this year
peaked at just 256 billion bits per second.
A huge September
attack that shut down of security journalist Brian Krebs' website
clocked in at 620 million bits per second. Research from the
cybersecurity firm Flashpoint said Friday that the same kind of malware
was used in the attacks against both Krebs and Dyn.
Lance
Cottrell, chief scientist for the cybersecurity firm Ntrepid, said while
DDoS attacks have been used for years, they've become very popular in
recent months, thanks to the proliferation of "internet of things"
devices ranging from connected thermostats to security cameras and smart
TVs. Many of those devices feature little in the way of security,
making them easy targets for hackers.
The power of this kind of
cyberattack is limited by the number of devices an attacker can connect
to. Just a few years ago, most attackers were limited to infecting and
recruiting "zombie" home PCs. But the popularity of new
internet-connected gadgets has vastly increased the pool of potential
devices they can weaponize.
The average North American home contains 13
internet-connected devices , according to the research firm IHS Markit.
Since
the attacks usually don't harm the consumer electronics companies that
build the devices, or the consumers that unwittingly use them, companies
have little incentive to boost security, Cottrell said.
What's behind the attacks
Like
with other online attacks, the motivation behind DDoS attacks is
usually mischief or money. Attackers have shut down websites in the past
to make political statements. DDoS attacks have also been used in
extortion attempts, something that's been made easier by the advent of
Bitcoin.
For its part, a member of New World Hackers who
identified themselves as "Prophet" told an AP reporter via Twitter
direct message exchange that collective isn't motivated by money and
doesn't have anything personal against Dyn, Twitter or any of the other
sites affected by the attacks.
Instead, the hacker said, the attacks
were merely a test, and claimed that the next target will be the Russian
government for committing alleged cyberattacks against the U.S. earlier
this year.
"Twitter was kind of the main target. It showed people
who doubted us what we were capable of doing, plus we got the chance to
see our capability," said "Prophet."
The claims couldn't be verified.
The
collective has in the past claimed responsibility for similar attacks
against sites including ESPNFantasySports.com in September and the BBC
on December 31. The attack on the BBC marshalled half the computing
power of Friday's attacks.
A shifting global assault
Dyn
said it first became aware of an attack around 7:00 a.m. local time,
focused on data centres on the East Coast of the US Services were
restored about two hours later. But then attackers shifted to offshore
data centres, and the latest wave of problems continued until Friday
evening Eastern time.
"Prophet" told the AP that his group
actually had stopped its attacks by Friday afternoon, but that others,
including members of the hacker collective known as Anonymous, had
picked up where they left off. Anonymous didn't respond to a request for
comment via Twitter.
The US Department of Homeland Security is
monitoring the situation, White House spokesman Josh Earnest told
reporters Friday. He said he had no information about who may be behind
the disruption.
Cottrell noted that there are several firms that
offer protection against DDoS attacks, by giving companies a way to
divert the bad traffic and remain online in case of an attack.
But
monthly subscription fees for these services are generally equal to a
typical DDoS extortion payment, giving companies little incentive to pay
for them.
Meanwhile not much is required in the way of resources
or skill to mount a botnet attack, he said, adding that would-be
attackers can rent botnets for as little as $100. Cottrell said the
long-term solution lies in improving the security of all
internet-connected devices.