Twitter, Reddit, Github, Spotify, and many others were knocked offline intermittently on Friday morning as a result of a cyberattack on a large internet infrastructure provider.
The popular websites became the collateral damage of a “global” Distributed Denial of Service or DDoS attack on Dyn, a company that provides core internet services for those popular websites. The attack mainly targeted Dyn’s Domain Name System (DNS) management services infrastructure on the East Coast of the United States, as the company explained in a statement.
DNS is essentially the internet’s phone book. When you type Twitter.com on your browser DNS servers turn that URL into an IP address and serve you the site’s content. Due to the fact that Dyn provides DNS management services to a lot of companies on the internet, the attack spread beyond the company and knocked offline other parts of the internet, as collateral damage.
“We are a major DNS service provider," Doug Madory, director of internet analysis at Dyn, told Motherboard. “When a DNS service provider gets attacked then parts of the DNS system stop working and people can’t access websites.”
Madory also said that there was “no doubt” that Dyn was the primary target of the attack.
At this point, it’s unclear who’s behind the attack or the what were their motives. But as security journalist Brian Krebs noted, Dyn’s researcher Madory teamed up with him on research investigating the “sometimes blurry lines between certain DDoS mitigation firms and the cybercriminals apparently involved in launching some of the largest DDoS attacks the Internet.”
Krebs, however, noted that there’s no data to clearly link Dyn’s previous work with the attack on Friday.
The attack on Dyn came a few weeks after criminals used a massive botnet made of Internet of Things devices infected with malware to target Krebs himself, forcing him to take down his website. At this point, it’s unclear if the DDoS on Dyn was carried out with that botnet, which is powered by malware known as Mirai, but some were already speculating that was the case.
“When a DNS service provider gets attacked then parts of the DNS system stop working and people can’t access websites.”
Marshal Webb, the chief technology officer of BackConnect, an anti-DDoS firm that was also investigated by Krebs and Madory, explained that Mirai has capabilities to target and overwhelm DNS servers.
“Someone has probably achieved hegemony with the Mirai source and slapped DYN to either hit them directly or a customer downstream,” Webb told Motherboard in an online chat. “Nothing else would have enough legitimate devices to saturate DNS queries.”
At around 9:45 am ET, Dyn reported that all services were “restored to normal.” But as of this time, no one knows exactly who was behind the attacks or how they did it, and Dyn said they had no other details to provide.
UPDATE, 10/21/2016, 5:15 p.m. ET: A botnet of hacked Internet of Things devices powered by the malware Mirai is at least in part responsible for the outages, according to an internet backbone provider and a security company.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.