A Shocking Internet Attack Shows America’s Vulnerability

The Internet began to wobble at 7 a.m. Early on Oct. 21, servers at a little-known Internet infrastructure company, Dyn, based in Manchester, N.H., began experiencing an overwhelming flood of malicious traffic. By midday a coordinated series of attacks had metastasized, eventually blocking or significantly slowing access to dozens of sites, including Twitter, Netflix, Spotify and Airbnb, for millions of Americans as well as web users in Brazil, Germany, India, Spain and the U.K. The FBI and the Department of Homeland Security are looking into the attack, thought to be the largest of its kind ever. But by the time the disturbance ebbed the following day, the point security researchers have been making to one another at an increasingly alarmed pitch in recent months became clear to a much broader public: America’s digital infrastructure is deeply vulnerable.

As has become the norm with cyberattacks, the how became apparent long before the who or why. (Experts don’t believe a nation-state sponsored the strike; a collective that calls itself New World Hackers claimed responsibility, without proof, on Twitter.) Dyn provides Domain Name System services for a variety of major Internet destinations, acting as a critical address book translating user-friendly website names like TIME.com to the numerical designations used to move traffic to its intended destination. The firm was overwhelmed with bogus traffic in a so-called distributed denial-of-service (DDoS) attack: the bad guys’ massive volume of requests flooded Dyn, making it difficult for legitimate users to get through. That didn’t knock services like Spotify offline per se; it just made them impossible to reach. Assaults of this kind are a routine part of hackers’ arsenal at this point, usually deployed to extort a ransom or in retaliation for perceived slights. But DDoS attacks have dramatically escalated in scale over the past year, including two record blitzes this fall.

What was most shocking about the latest assault were the tools used to mount it. Hackers employed a vast array of remotely controlled Internet-connected gadgets–surveillance cameras, printers, digital video recorders–to generate the crippling deluge. They exploited these devices, which are part of the so-called Internet of Things and often suffer from weak or nonexistent security, thanks to a virus called Mirai. Internet provider Level 3 Communications estimates Mirai has infected some 500,000 gadgets. Experts call this phalanx of zombie devices a botnet army. And by one estimate, just 10% of the Mirai army was deployed this time.

The Internet of Things is growing faster than government’s or industry’s ability to secure it. There are now 6.4 billion connected devices globally, according to researcher Gartner. By 2020, that will balloon to 20.8 billion. Recalls like the one announced by Xiongmai Technologies, the Chinese manufacturer of some of the webcams used against Dyn, don’t go far enough, says Timothy Edgar, a director of law and policy at Brown University’s cybersecurity program. “Going back and making sure that each of these cameras have better security isn’t really possible,” he says.

Consumers can protect themselves to a degree by keeping the software on their devices updated or changing the default password if possible. But most cyber researchers say device manufacturers must be held responsible for better security. How to do that remains unclear, though legislation may be coming: on Oct. 24, Homeland Security Secretary Jeh Johnson seemed to suggest as much, saying his department would produce a strategic plan “in the coming weeks.”

More vexing are the questions that remain about the origin and purpose of such attacks. Bruce Schneier, a security expert and fellow at Harvard’s Berkman Klein Center for Internet & Society, theorizes that, in aggregate, these events constitute a kind of probing of the defenses and weaknesses of critical parts of the web. “Someone is learning how to take down the Internet,” he wrote ominously in September. An event like the Oct. 21 attack may, in retrospect, look like Darth Vader test-firing the Death Star on Alderaan.

What could a more damaging event look like? Denise Zheng, a senior fellow at the Center for Strategic & International Studies, says it might target health care or the financial realm. Or as several security experts warned, hackers could attempt to disrupt the U.S. presidential election by hobbling state and county election websites. Since voting machines are not connected to the Internet, it would be difficult to undermine the vote itself. But they could easily create an impression to the contrary.

Indeed, opacity and uncertainty are shaping up to be defining features of the cyber era. There is another telling detail about this attack: the Japanese word mirai translates as “the future.”

How to break the Internet

On Oct. 21, one of the biggest DDoS attacks in history overwhelmed key parts of the web’s infrastructure and prevented millions of people from accessing popular sites. Here’s how it happened:

[The following text appears within a diagram. Please see your hardcopy for actual diagram.]

Hackers

Command servers

1

Attackers identified computers that had been infected with malicious software called Mirai and took control of them, creating a botnet.

2

Botnets have traditionally been made up of compromised computers, but this time hackers took over hundreds of thousands of web-connected devices, like security cameras and DVRs, making the attack far more powerful.

Botnet army

3

Hackers commanded each of the compromised devices to send meaningless requests to servers owned by a domain-name-system (DNS) company, which helps translate URLs to IP addresses.

DNS server

4

The DNS server received so many fake requests from compromised devices that it couldn’t parse legitimate traffic, blocking access for millions of users.

To check if you have susceptible devices and learn what to do, visit time.com/hacked-devices