Image: AP

Friday’s DDoS attack on Dyn’s domain name servers was unprecedented. The attack utilized a botnet made up of “internet of things” (IoT) devices (think: smart TVs, DVRs, and internet-connected cameras) to take down a major piece of internet infrastructure. The result? For most of Friday, people across the United States and some parts of Europe were unable to access sites like Amazon, Twitter, CNN, PayPal, Spotify and more. Here’s what we know so far.




Who did it?

This is the biggest question, and we don’t have a solid answer yet. There were rumblings online that the attack might have been state-sponsored, but an unnamed intelligence official told NBC they’ve ruled that out, saying it was a “classic case of internet vandalism.”


NBC News reports:

A senior US intelligence official told NBC News the current assessment is that this is a classic case of internet vandalism. The official said it does not appear at this point to be any kind of state-sponsored or directed attack. Impossible to say how long it will take to say who’s responsible, the official added.﻿



As is usually the case with anonymous US officials, the source didn’t offer any proof to bolster that claim. So for now, we’ll have to accept this conclusion with a good dose of skepticism.

How was the attack done?

Dyn confirmed the analysis of some cybersecurity companies that the attack was launched by IoT devices infected with the “Mirai botnet.” Mirai is malware that recently became open source, allowing anyone to build their own botnet army made of IoT devices.


Dyn’s official statement on the attack explains:

At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion. The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.﻿




As Dyn implies in its statement, this event was not your conventional DDoS attack. Instead, it seems to be the first large-scale attack using IoT devices. Because of the estimated billions of available unsecured IoT devices, these attacks could allow for an unprecedented amount of DDoS power—enough power to take down major pieces of internet infrastructure protected by some of the best DDoS mitigation in the business. That’s exactly what we saw on Friday.

What comes next?

Some of the devices used in this botnet against Dyn came from one Hangzhou Xiongmai, a Chinese manufacturer that creates parts for internet-connected webcams. Just this morning, Hangzhou Xiongmai said that it would recall the devices utilized in the attack and send out security patches. Hangzhou Xiongmai devices were vulnerable because they didn’t force users to change the passwords that connect the devices to the internet, leaving the devices with default passwords. This, in turn, allowed hackers to co-opt them.


It remains to be seen if this attack will be launched again, but there is no doubt that it inspired would-be hackers to build more botnet armies using the wealth of unsecured IoT devices and readily available malware. It’s unclear what mischief they’re planning, but if hackers are able to make much of the internet unusable, say, once or twice a month, it will totally change how the web works.

So to put it bluntly: Last week’s cyber attack was very scary. Never before have key pieces of internet infrastructure been so vulnerable, and there’s no doubt that some copycat hackers will try to get their kicks in while they still can.