A number of popular high-traffic websites were compromised on October 21 by a cyber attack on Dyn, a cloud-based Internet Performance Management (IPM) company. The most significantly affected reported areas include the American Northeast, Mid-Southwest and Eastern UK.
Their engineers began working to resolve the issue at 8:45am ET and by 9:36am ET, all services were restored to normal. A repeat attack was reported at 11:52am ET and Dyn Managed DNS advanced services were officially compromised 12:48 ET. At the time of publication, Dyn was continuing investigation and mitigation of several mitigate several attacks to their infrastructure. The attack was confirmed as a distributed denial-of-service attack (DDoS).
DDoS attacks prevent users from accessing information or service by targeting a computer and its network connection, or, in the case of this morning’s Dyn hack, the computers and network of the sites users are on. The most common form of DDoS involves the flooding a network with information. In this case, a number of video cameras were manipulated to repeatedly ping Dyn’s network to prevent other traffic from accessing their clients’ sites.
For this reason, Robert Katz, Executive Director of the Innovative Intelligence Institute, says he knew “right away” that the Internet of Things (IoT), or the growing network of physical objects assigned IP addresses without manual computing power, was manipulated to produce the threat.
“There’s a limit to how many computers you can hijack to [perform a DDoS], but there’s virtually a limitless number of IoT devices that can,” he explains. ”They’re turned into zombies. They don’t have full operating systems, they don’t have people behind them, some you can’t even unplug…they’re doing what they’re supposed to—pinging their home systems—but instead, they ping this website or whatever they’re attacking.”
A DDoS attack may not compromise sensitive information, but the interruption of services alone has significant financial impact on online entities. PayPal was inaccessible, meaning online retailers relying on their services lost all revenue during the blackout. Online banking services were inaccessible. Scheduled online advertising caused a loss in invested marketing.
The IPM manages a number of ad sites, service providers, media/entertainment, consumer internet, retail/ecommerce, software/SaaS and Travel/Hospitality. More prominent clients include Twitter, Etsy, CNBC, Zillow, Hershey’s, Zappos, Soundcloud, Pardot and About.com.
While a number of high-profile hacks have hit headlines this year, the wide reach and lengthy duration of the attack was unusual. The implementation of IoT to perform DDoS, Katz says, will increase in frequency as the technology advances.
“This is the classic new normal,” Katz says. “This is why I call the IoT, the Internet of Threats.”