How an army of vulnerable gadgets took down the web today

Nick Statt
scyther5 | iStock | Getty Images

At some point Friday morning, one of the U.S.'s critical internet infrastructure players was hit with a staggering distributed denial of service (DDoS) attack that took out huge swaths of the web. Sites like Twitter, Netflix, Spotify, Reddit, and many others — all clients of a domain registration service provider called Dyn — have suffered crippling interruptions and, in some cases, blanket outages.

Details are now emerging about the nature of the attack. It appears the cause is what's known as a Mirai-based IoT botnet, according to security journalist Brian Krebs, who cited cyber-threat intelligence firm Flashpoint. Dyn's chief strategy officer Kyle Owen, who spoke with reporters this afternoon, later confirmed Flashpoint's claim, revealing that traffic to its servers was clogged with malicious requests from tens of millions of IP addresses in what the company is calling a "very sophisticated and complex attack."

Today's DDoS attack can be linked to the internet of things.

A Mirai botnet essentially takes advantage of the vulnerable security of Internet of Things devices, meaning any smart home gadget or connected device anywhere that has weak login credentials. Mirai, a piece of malware, works by scanning the internet for those devices that still have factory default or static username and password combinations. It then takes control of those devices, turning them into bots that can then be wielded as part of a kind of army to overload networks and servers with nonsense requests that slow speeds or even incite total shutdowns.

More from The Verge:

So by wielding a botnet against Dyn, the perpetrator of this particular DDoS attack has been able to target one of the largest pieces of online infrastructure in the country and take down dozens upon dozens of sites. Dyn manages what is known as a domain name system (DNS) service, which is how computers translate a web address into the correct numeric machine code corresponding to a given website. The Department of Homeland Security is now looking into the attack, considering how critical a DNS interruption like this one is to internet use around the country.

The Mirai software is freely available on the internet, meaning any hacker state-sponsored or otherwise could be behind today's DDoS. A user going by the name of "Anna-senpai" uploaded the Mirai source code to English-language site Hackerforums. The hacker's own words appear to suggest he or she leaked the code because security experts were beginning to defend against it. "I made my money, there's lots of eyes looking at IoT now, so it's time to GTFO [link added]," Anna-senpai wrote. Before doing so, a Mirai-based botnet attack even targeted Krebs' own security blog, failing to bring it down but nonetheless mounting a historically large DDoS attack.

Hacking the Internet of Things

Krebs suggested the act of leaking the source code was intended to throw off the trace for any federal investigators. "It's an open question why Anna-senpai released the source code for Mirai," he wrote earlier this month. "But it's unlikely to have been an altruistic gesture: Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home."

However, with Mirai out there for anyone to use, the threat of an IoT botnet attack is now significant. "My guess is that (if it's not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth," Krebs wrote. "On the bright side, if that happens it may help to lessen the number of vulnerable systems."