Twitter, Amazon, Netflix, The New York Times, Spotify, Reddit, and others Impacted by Massive DDoS

Someone, no one is quite sure who, yet, has managed to take Twitter, SoundCloud, Spotify, Shopify, and other sites offline using a DDoS (distributed denial of service) attack this week. The outage affected much of the USA and parts of Europe.

These sites are all customers of Dyn.com. They are a company that operates a massive DNS system around the world that lets companies failover from one set of servers to another and provides redundancy. It also serves as a content distribution network (CDN) to reduce latency by locating data closer to users by locating that around the world.

The US government is responding to this attack by questioning whether this is a criminal DDoS attack, as Brian Krebs and others have speculated, or a state cyberattack. Congressmen on Capitol Hill have raised questions about that and the White House has gotten involved.

This comes on the heels of allegations, and apparently proof as well, that the Russian government has been hacking into the computer systems at Hillary Clinton’s presidential campaign and the Democratic Party headquarters. Pundits on TV, in the news, and the Clinton campaign say Russian President Putin’s goal is to embarrass Secretary Clinton, thus favoring Donald Trump.

This is like a global spy thriller, but it is all real. The leaked material has been uploaded to WikiLeaks. Saying he did not want to be involved in this kind of cyber intrusion and meddling in another country’s election, Ecuadorean President Rafael Correa cut off Julian Assange’s internet access at the Ecuadorean embassy in London. Assange has been hold up there for several years because if he steps outside the embassy he risks being arrested and deported either to the USA or Sweden. There has been speculation whether Ecuador was pressured into doing that. As you might remember, Ecuador was thought to be a final destination for Edward Snowden when he was fleeing the Americans. Vice President Biden flew down there to warn them against that.

A DDos (distributed denial of service attack) works when hackers use the power of botnets to send DNS and website requests to their target and overwhelm them with traffic. Botnets are networks of mainly home PCs that have been hacked. Their owners do not know anything about that.

Dyn, Cloudflare, BackConnect and other companies advertise that they can protect high profile sites like Twitter from DDoS attacks. What they do is temporarily change the IP address of the targeted site to massive server farms that they have in their data centers. Then they try to filter out hacker traffic from genuine traffic. BackConnect has been caught even hacking back at the hackers.

But the task of defending against DDoS is made almost impossible because who can tell if a request to open a web page is legitimate or not? It’s going to look the same whether the hacker or a regular person sent that. Also there is no way to scale up the number of webservers to handle the immense about of data the hackers send.

There is nothing high tech about at DDoS attack. It works by sending more data than a server can handle. So it does not involve any kind of fancy hacking, per se.

companies impacted by massive ddos

These attacks use several tactics to amplify their attack. Hackers will, for example, send a TCP request to connect to a website but not send a response when the website responds. That ties up a socket or thread while the website waits for the response. The hackers can also send malformed packets, meaning data that is not structurally complete. That too ties up a web server as it takes some time for the computer to determine that.

The problem with botnets is, as we said, these are computers that belong to people who are not technically savvy enough to patch their system, run antivirus software, or are just the victims of zero day attacks (meaning something for which there is no defense.). So their computers are taken over and can be used as part of a botnet without the owner of those knowing anything about that. There are so many botnets that organizations like SpamHaus maintain lists of their IP addresses to people can block them. Here is the SpamHaus list.

The other issue is that criminal organizations hire out these botnets to other firms to launch these attacks. One company doing that was vDOS. After Brian Krebs reported on the activities of that Israeli business, its owners were arrested by the American FBI.

Some problems with the way the internet is designed makes the DDoS attack easier for the hacker to produce. One is that it is possible to spoof the IP address of DNS lookup packets. That means when computer A looks up a website for, say, Twitter.com, then the DNS server that stores that address sends the response to a different computer, computer B, which is the victim of the attack.

Hackers also exploit what are called DNS amplification, which greatly expands the size of the DNS lookup data, and DNS open resolvers, which chain DNS requests up a chain (list) of servers.

So, for the foreseeable future, these kinds of attacks are going continue as there is no way to defend against that. Changing how DNS and other protocols that hackers exploit would take worldwide coordination and many years. Similarly it is going to be impossible to un-hacked all the hacked botnets.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk logo

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal