Hackers Used New Weapons to Disrupt Major Websites Across U.S. - The New York Times
SAN FRANCISCO — Major websites were inaccessible to people across wide swaths of the United States on Friday after a company that manages crucial parts of the internet’s infrastructure said it was under attack.
Users reported sporadic problems reaching several websites, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud and The New York Times.
The company, Dyn, whose servers monitor and reroute internet traffic, said it began experiencing what security experts called a distributed denial-of-service attack just after 7 a.m.
Reports that many sites were inaccessible started on the East Coast, but spread westward in three waves as the day wore on and into the evening.
And in a troubling development, the attack appears to have relied on hundreds of thousands of internet-connected devices like cameras, baby monitors and home routers that have been infected — without their owners’ knowledge — with software that allows hackers to command them to flood a target with overwhelming traffic.
....“The number and types of attacks, the duration of attacks and the complexity of these attacks are all on the rise,” Mr. York said.
Security researchers have long warned that the increasing number of devices being hooked up to the internet, the so-called Internet of Things, would present an enormous security issue.
And the assault on Friday, security researchers say, is only a glimpse of how those devices can be used for online attacks.
...A distributed denial-of-service attack, or DDoS, occurs when hackers flood the servers that run a target’s site with internet traffic until it stumbles or collapses under the load.
Such attacks are common, but there is evidence that they are becoming more powerful, more sophisticated and increasingly aimed at core internet infrastructure providers.
Going after companies like Dyn can cause far more damage than aiming at a single website.
...The attacks were not only more frequent, they were bigger and more sophisticated.
The typical attack more than doubled in size.
What is more, the attackers were simultaneously using different methods to attack the company’s servers, making them harder to stop.
...Last month, Bruce Schneier, a security expert and blogger, wrote on the Lawfare blog that someone had been probing the defenses of companies that run crucial pieces of the internet.
“These probes take the form of precisely calibrated attacks designed to determine exactly how well the companies can defend themselves, and what would be required to take them down,” Mr. Schneier wrote.
...It is too early to determine who was behind Friday’s attacks, but it is this type of attack that has election officials concerned.
They are worried that an attack could keep citizens from submitting votes.
Thirty-one states and the District of Columbia allow internet voting for overseas military and civilians.
Alaska allows any Alaskan citizen to do so. Barbara Simons, the co-author of the book “Broken Ballots: Will Your Vote Count?” and a member of the board of advisers to the Election Assistance Commission, the federal body that oversees voting technology standards, said she had been losing sleep over just this prospect.
“A DDoS attack could certainly impact these votes and make a big difference in swing states,” Dr. Simons said on Friday.
“This is a strong argument for why we should not allow voters to send their voted ballots over the internet...”