This morning (US Eastern time), many popular websites and mobile apps - including those from Twitter, Reddit, Spotify, CNN, and sites hosted by Wix - experienced outages, and this afternoon sites that recovered earlier seemed to go offline once again. At least as of now, the massive failures seems to stem from an attack launched by an as-of-yet unknown party (or parties) against Dyn, a provider of Domain Name Services (DNS) - a critical technology necessary for the functioning of the modern Internet. While some of the impacted systems do seem to be back online, Dyn reports that as of 1 PM Eastern time today its engineers are still fighting off the attack.
DNS refers to a service that, among other things, allows people to refer to computers on the Internet by name, rather than by an IP numeric address. If you enter CNN.COM, for example, DNS translates that name to a specific IP address to which your request and the resulting network traffic is routed. Because DNS mappings can be dynamic, DNS services can also help provide load balancing, redundancy, and, perhaps ironically in the context of this article, even protection against some denial of service attacks.
This morning, a massive distributed denial of service (DDoS) attack was launched against Dyn, apparently, overloading its servers that were providing DNS services for some popular websites, thereby taking down access to many sites (at least intermittently). While I am oversimplifying for sake of understandability, essentially a DDoS attack on DNS services causes users trying to access a site -- Twitter.com, for example -- to be unable to reach the DNS provider that processes requests to translate that site's name into a technically-addressable IP address, rendering the site unreachable. Also, it is worth noting that simply using an IP address for the site when entering a URL is not a good solution; for various technical reasons some sites are not accessible in such a fashion, and, obviously, one cannot enter the IP address into many apps.
According to Gizmodo, sites that went offline as a result include ActBlue, Basecamp, Big Cartel, Box, Business Insider, CNN, Cleveland.com, Esty, Github, Grubhub, The Guardian, HBO Now, iHeartRadio, Imgur, Intercom, Okta, PayPal, People, Pinterest, Playstation Network, Recode, Reddit, Spotify, Squarespace, Starbucks Cards, Storify, The Verge, Twillo, Twitter, Urbandictionary, Weebly, Wired, Wix Customer Sites, Yammer, Yelp, Zendesk.com, and Zoho, and that list represents only a small fraction of the sites truly impacted by the attack.
While the current attack highlights (once again) the need to improve how DNS is handled from a technical standpoint, this and other recent DDoS attacks have also brought to the forefront one of the great vulnerabilities of the Internet - as long as there are large numbers of insecure devices , it is easy for nefarious parties to hack them with automated tools, and assemble large armies of "zombies" which can then be used to simultaneously flood and overwhelm legitimate parties with requests. DDoS attacks remind us that cybersecurity relies on the collective action of everyone - device manufacturers, large enterprises, governments, non-profits, and individuals - to keep our connected devices secure. We can outsource our physical defense to our military and law enforcement agencies -- but we cannot, to the same extent, outsource cybersecurity to others.