Here’s how hackers brought down the internet – and what we can do to stop them

If you were on the US East Coast on 21 October, you likely noticed that the internet just wasn’t working as it should. Some of the web’s most popular sites – Twitter, AirBnB, Spotify, Reddit, NYTimes.com and many others (even, ironically, http://downforeveryoneorjustme.com/) – were either out for some time or very slow to access.

It wasn’t a glitch or a mistake that led to this outage. Rather, it was a malicious attack on some of the backbone structures of the internet. In its scope and methodology, the attack draws attention to some of the innovations – especially those relating to the internet of things (IoT) – that we’re in the process of expanding, perhaps without taking their security implications as seriously as we should.

Authorities and cybersecurity experts are still trying to figure out the specifics of what happened and who was responsible, but we know the basics and we can draw some of our own conclusions about what we need to do to mitigate the risk of this happening again.

In the early morning of 21 October 2016, Dyn, a company that redirects traffic on the internet as part of the Domain Name System (DNS), reported that many websites were inaccessible. This happened in a series of waves over the course of the day. Web users experienced this as an inability to access some of the most popular sites. It was clear to investigators at Dyn very early on that this inaccessibility was the result of a massive, coordinated DDoS attack on Dyn’s DNS servers, a vital component of internet infrastructure.

The target of the 21 October attack, Dyn, forms part of the internet’s backbone. The company is one of the many organizations and firms that host the DNS – which essentially functions like the whitepages do for community telephone services.

When using the whitepages, you look up the name of the person you’d like to contact and find their telephone number. DNS takes the website name that you type into your browser and converts it to the unique IP address of the server that holds the information that makes up that webpage.

DNS servers act as a translator between the website names that are easy for people to remember and the IP addresses that computers need to find each other across the internet. There is a multitude of translating/rerouting servers available. However, some servers are used as nameservers and become a vital link when translating the name of a website to an IP address. When those servers are unavailable, as Dyn’s were, it becomes very difficult, if not impossible, to access those websites.

A DDoS attack is short for Distributed Denial of Service Attack. The targets of these attacks are usually servers that store the information computers seek to access when pointed to a website.

These attacks attempt to overwhelm a target server with a flurry of requests for information. The server becomes so busy attempting to fulfill those requests that it can no longer provide information to legitimate users attempting to access it. The result is that the information will no longer be available to its intended users – the website is “down”.

When the attack is “distributed”, the multiple systems act in concert to flood a server with requests. Very often this is the result of many systems (computers or processors) being compromised and under the control of a malicious actor. Sometimes these galaxies of compromised systems are referred to as a “botnet”. Traditionally, these botnets are made up of unsecured PCs, but in this attack it seems that IoT devices were corrupted and tied into a botnet – a relatively new and troubling development.

Historically (if that’s the right term to attach to something that’s been possible for, at most, 16 years), DDoS attacks have used hijacked computers, by and large similar to the one you’re reading this article on. What makes this attack so interesting is that the computers it hijacked were in devices that have been networked to create the internet of things.

This particular episode was made possible by a botnet of IoT devices compromised by a bit of malware known as Mirai, which was specifically designed to take control of connected devices. In this case the culprit was likely digital video recorders, those set-top boxes that allow you to record live TV and skip the commercials, and webcams, like those used around houses for security. All these devices now moonlight as slaves to malicious actors bent on taking down individual websites or even portions of the internet, as with the Dyn attack.

Considering the trend in connectivity, this is really just a taste of things to come. The deployment of IoT is far outpacing any other networked system. We’ve estimated that, by 2020, 50 billion devices will be connected to the internet. That’s 50 billion new accomplices for an attacker to use to take down the servers that are critical to a functioning internet.

Added to this explosion in connected (and potentially compromised) devices is the increasingly sophisticated and systematic nature of recent attacks. Bruce Schneier, an internationally renowned expert on technology and security, has sounded the alarm on this issue very recently. The combination of a dedicated group of actors and a significant increase in the means to attack networks should be a big concern to us all.

There are two interrelated things that need to change if we are to have a chance to combat this growing threat. First, we need to change our culture around networked technologies. As we’ve said before (here and here), leaders need to make security and resilience in digital spaces a priority. When considering overall strategy, whether for an enterprise or a government, cyber strategy must be a key concern.

Second, we need to make a serious attempt at prioritizing security in IoT deployments. Security by design, or ensuring that security is built into technology from the beginning, is a step in the right direction. Another step would be for innovators and regulators to work together to help align incentives, which are currently behind deploy-first-secure-later approaches, to support security in IoT. The World Economic Forum is currently working with experts in this area to explore how to do this.

If we take the Dyn DDoS attack as a wake-up call regarding the dangers of an insecure IoT, we can ensure that something worse doesn’t happen.