Two successive waves of cyber attacks blocked a major website on Friday and made it difficult for users to access Twitter, Spotify, Netflix, Amazon, Tumblr and Reddit.
The first attack appears at 7:10 pm (PST), was resolved at 9:30 pm but then a new fresh wave began.
The type of attack was DDoS – large-scale distributed denial of service attack against internet performance company named Dyn that blocked user access to many popular websites and still those site are not accessible.
Dyn reported the sites going down at around 11:10 a.m. UTC, or roughly 7:10 a.m. ET, posting on its website that it “Our engineers continue to investigate and mitigate several attacks aimed against the Dyn Managed DNS infrastructure.
Oct 21, 17:53 UTC“
In an update posted at 8:45 pm. ET, the company confirmed the attack, noting that “this attack is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue.”
White House Press Secretary Josh Earnest said the Department of Homeland Security was “monitoring the situation” but that “at this point, I don’t have any information about who may be responsible for this malicious activity.”
Amazon, whose web service AWS hosts many of the web’s popular destinations including Netflix, also reported East Coast issues around the same time. In an update posted at 9:36 pm. ET it said that it had “been resolved and the service is operating normally.”
A post on Hacker News first identified the attack and named the sites that were affected. Several sites, including Spotify and GitHub, took to Twitter this morning to post status updates once the social network was back online.
Twitter users similarly took to the service to keep lists of which sites were down and comment on the situation. The term DDoS quickly vaulted to among the top of the site’s list of “Trending Topics” in the United States.
“DDoS attack this morning takes out Reddit, Twitter & Spotify,” wrote user @Anubis8. “Work productivity increases by 300%.”
“Anyone else having a whole lot of trouble with sites loading properly this morning?,” tweeted Emmy Caitlin. “Paypal is down, Twitter was down, Netflix half loading.”
How the attack works
Dyn provides DNS service, effectively an Internet address book for companies and that’s what’s being attacked said Steve Grobman, chief technology officer for Intel Security.
DNS stands for Domain Name Servers. These are computers that contain databases of URLs and the Internet Protocol addresses they represent.
“If you go to a site, say www.yahoo.com, your browser needs to know what the underlying Internet address that’s associated with that URL is. DNS is the service that does that conversion,” said Grobman.
For example, the IP address for yahoo.com is 188.8.131.52.
The attack is on the Dyn server that contains that address book. Dyn provides that service to multiple Internet companies, so when someone types in twitter.com or tumblr.com or Spotify.com, via a complex series of jumps the address book is able to tell their browser which numerical IP address to look at.
The DDoS attack floods that server with illegitimate requests, so many that very few real requests can get through. The user gets a message that the server is not available. Service is intermittent because a few requests are sometimes still able to go through.
In addition, many sites keep cached address books their computers can refer to. However those caches always have a time limit on them and when that “time to live” expires, they must go back to the DNS server to confirm the IP address is valid. If the DNS server is unavailable, a site that was working could suddenly stop being available, said Grobman.