Someone, no one is quite sure who, yet, has managed to take Twitter, SoundCloud, Spotify, Shopify, and other sites offline using a DDoS (distributed denial of service) attack this week. The outage affected much of the USA and parts of Europe.
These sites are all customers of Dyn.com. They are a company that operates a massive DNS system around the world that lets companies failover from one set of servers to another and provides redundancy. It also serves as a content distribution network (CDN) to reduce latency by locating data closer to users by locating that around the world.
The US government is responding to this attack by questioning whether this is a criminal DDoS attack, as Brian Krebs and others have speculated, or a state cyberattack. Congressmen on Capitol Hill have raised questions about that and the White House has gotten involved.
This comes on the heels of allegations, and apparently proof as well, that the Russian government has been hacking into the computer systems at Hillary Clinton’s presidential campaign and the Democratic Party headquarters. Pundits on TV, in the news, and the Clinton campaign say Russian President Putin’s goal is to embarrass Secretary Clinton, thus favoring Donald Trump.
This is like a global spy thriller, but it is all real. The leaked material has been uploaded to WikiLeaks. Saying he did not want to be involved in this kind of cyber intrusion and meddling in another country’s election, Ecuadorean President Rafael Correa cut off Julian Assange’s internet access at the Ecuadorean embassy in London. Assange has been hold up there for several years because if he steps outside the embassy he risks being arrested and deported either to the USA or Sweden. There has been speculation whether Ecuador was pressured into doing that. As you might remember, Ecuador was thought to be a final destination for Edward Snowden when he was fleeing the Americans. Vice President Biden flew down there to warn them against that.
A DDos (distributed denial of service attack) works when hackers use the power of botnets to send DNS and website requests to their target and overwhelm them with traffic. Botnets are networks of mainly home PCs that have been hacked. Their owners do not know anything about that.
Dyn, Cloudflare, BackConnect and other companies advertise that they can protect high profile sites like Twitter from DDoS attacks. What they do is temporarily change the IP address of the targeted site to massive server farms that they have in their data centers. Then they try to filter out hacker traffic from genuine traffic. BackConnect has been caught even hacking back at the hackers.
But the task of defending against DDoS is made almost impossible because who can tell if a request to open a web page is legitimate or not? It’s going to look the same whether the hacker or a regular person sent that. Also there is no way to scale up the number of webservers to handle the immense about of data the hackers send.
There is nothing high tech about at DDoS attack. It works by sending more data than a server can handle. So it does not involve any kind of fancy hacking, per se.
These attacks use several tactics to amplify their attack. Hackers will, for example, send a TCP request to connect to a website but not send a response when the website responds. That ties up a socket or thread while the website waits for the response. The hackers can also send malformed packets, meaning data that is not structurally complete. That too ties up a web server as it takes some time for the computer to determine that.
The problem with botnets is, as we said, these are computers that belong to people who are not technically savvy enough to patch their system, run antivirus software, or are just the victims of zero day attacks (meaning something for which there is no defense.). So their computers are taken over and can be used as part of a botnet without the owner of those knowing anything about that. There are so many botnets that organizations like SpamHaus maintain lists of their IP addresses to people can block them. Here is the SpamHaus list.
The other issue is that criminal organizations hire out these botnets to other firms to launch these attacks. One company doing that was vDOS. After Brian Krebs reported on the activities of that Israeli business, its owners were arrested by the American FBI.
Some problems with the way the internet is designed makes the DDoS attack easier for the hacker to produce. One is that it is possible to spoof the IP address of DNS lookup packets. That means when computer A looks up a website for, say, Twitter.com, then the DNS server that stores that address sends the response to a different computer, computer B, which is the victim of the attack.
Hackers also exploit what are called DNS amplification, which greatly expands the size of the DNS lookup data, and DNS open resolvers, which chain DNS requests up a chain (list) of servers.
So, for the foreseeable future, these kinds of attacks are going continue as there is no way to defend against that. Changing how DNS and other protocols that hackers exploit would take worldwide coordination and many years. Similarly it is going to be impossible to un-hacked all the hacked botnets.