(Update: Second Outage) Dyn DDoS Takes Down Major Websites For Hours; Yet Another Sign Of Powerful Attacks To Come

News
By Lucian Armasu
published

Updated, 10/21/2016, 11:09am PT: Dyn seems to be experiencing new DDoS attacks on the Dyn DNS Managed infrastructure, which is once again slowing down or shutting down access to major internet services on the East Coast and Midwest. We've tracked outages as far west as Kansas.

The new attack started at 11:52am ET, and it's been ongoing since.

Dyn's engineers continue to investigate and mitigate the attack, but so far only with moderate success. Major sites such as Twitter, Paypal, Github, Soundcloud, and Shopify seem to be down at the time of this writing, while Reddit, Imgur, CNN, CNBC, and the rest are up. We'll update this post when there is new information.

Original article:

Major websites hosted on the East Coast in the United States were shut down by a DDoS attack for over two hours this morning. The attack started at 7:10am ET and affected sites that were using Dyn’s cloud services, including the company’s own website.

Dyn DDoS

Dyn, formerly known as DynDNS, is an Internet Performance Management (IPM) company that offers products that monitor, control, and optimize Internet infrastructure, as well as DNS registration and email services.

The company appears to have experienced a DDoS attack early this morning that slowed down or completely interrupted operation of customer websites using its Managed DNS service. Among others, the affected sites include:

  • Twitter
  • Etsy
  • Github
  • Soundcloud
  • Spotify
  • Heroku
  • Shopify
  • Okta
  • Imgur
  • Reddit
  • PayPal
  • CNN
  • CNBC

Dyn began mitigating the attack as soon as it became aware of it, but it wasn't completely stopped until 9:20am ET.

The “Internet Of Threats”

There isn’t too much information available yet about how powerful the attack was, nor who or what caused it. However, lately we’ve seen increasingly powerful DDoS attacks, some of which were powered by “Internet of Things” (IoT) devices that were controlled by botnets.

The Internet of Things, which some security experts called the “Internet of Threats,” is still in its early days, so we’ve not yet seen the type of damage that infected IoT devices can do.

Most IoT devices don’t seem to make security a priority. They are rarely updated, and the updates they do receive are typically released early in their life cycles, before their creator's attention shifts to new products. Some may be updated for two years, but consumers might use them for five or seven years, and something like a government-purchased CCTV camera could be used for even longer. Those devices are the most vulnerable to being taken over by botnets.

To make things worse, an IoT botnet software was recently made open source, making it much easier for people to launch their own DDoS attacks.

IoT Security Regulation May Be Imminent

Governments haven’t started to regulate the security of IoT devices, but any further delay could put more and more internet services at risk from DDoS attacks as the category becomes more popular.

Some governments, such as the U.S., believe that growth of IoT shouldn’t be restricted by too many regulations. The European Union is also taking a light approach and is currently considering the adoption of a “labeling system” for security that's similar to its energy consumption labeling laws.

Labeling system or not, there probably should be at least some security best practices that should be enforced for everyone. If an IoT device doesn’t have even a basic level of security to protect against being hacked by automated tools, then it probably shouldn’t even be on the market; its existence would only further endanger everyone else’s products and services.

That seems like something for which only governments could offer protection, as most companies act in their own interests only. When it’s an issue of adding an extra cost to their products with no guarantee that it would result in higher sales or that their competitors would match their higher prices, there’s little reason for a given company to adopt higher security.

This is the type of behavior we’ve already seen in the Android smartphone market, where manufacturers prefer to offer as few updates to their devices as possible so they can remain competitive on price.

If security regulations for IoT devices are adopted in many countries at once, the “cost” issue of adding new security features should no longer be much of a problem, as everyone would have to start from the same base level of security.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
18 Comments Comment from the forums
  • dabeargrowls
    Ehh.... oh well, time to go outside and get some of that vitamin D that most of us are short on. If you look at all the website listed that are down for a bit then its no biggie. Time for some REAL socialization.
    Reply
  • DookieDraws
    "Dyn DDoS Takes Down Major Websites For Houes; Yet Another Sign Of Powerful Attacks To Come"

    Looks like it also took down the correct spelling for hours. :P
    Reply
  • sillynilly
    Many of those sites are STILL down many hours later.
    Reply
  • HEXiT
    i wonder if this is in retaliation to what joe biden said. something along the lines of "all out cyber attacks on russia."

    http://nypost.com/2016/10/15/russia-isnt-happy-about-us-cyberattack-threats/

    http://www.nbcnews.com/meet-the-press/video/biden-we-re-sending-a-message-to-putin-786263107997

    to me that is absolute idiocy. its just asking for a response. announcing it like this will force putin into a situation no 1 should be in. having to face down a super power knowing it could lead to MADness.

    if your living in the uk, you should be especially worried by this kind of action taken by america, coz we are literally the piggy in the middle.
    Reply
  • voodoochicken
    I don't use most of these sites, some I haven't even heard of, but the ones I use still work
    Reply
  • scarecrow2311
    looks like the NWO tantrum squad is working over time to keep anyone from looking at the latest WikiLeaks / Guccifer 2.0 or DNCHack info because BOY it is damning!
    Reply
  • Nuckles_56
    And what did people expect to happen with the IoT unfortunately? The only way that something will change with IoT devices is if the DDoS something like Facebook and Google and take them offline for a while, then people will get angry enough to actually get changes pushed through
    Reply
  • variokas
    welll...just use mainframes for routers' 'overflow' - and if you are laughing, you are still in 1960s!
    Reply
  • Kimonajane
    And yet the fools in charge of things will still continue to move toward total internet reliance on things. One example, Internet goes down can't buy groceries cause all the cash registers need it now for all the people who pay for everything with cards. I for one use cash for day to day activities, don't need them knowing what food I buy or where I buy my gas at. Oh and don't forget to thank the Obama regime (the liar from Kenya) for giving away the internet too.
    Reply
  • nitrium
    Seems incredible to me that these major companies aren't running their own DNS servers. So instead of having to target dozens of sites, hackers can now take down a whole swathe of them in one single attack. Welcome to the wonderful world of cloud computing /sarc.
    Reply