SAN FRANCISCO — Major websites were inaccessible to people across wide swaths of the United States on Friday after a company that manages crucial parts of the internet’s infrastructure said it was under attack.
Users reported sporadic problems reaching several websites, including Twitter, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud, Sony’s PlayStation Network, Amazon and The New York Times.
The company, Dyn, whose servers monitor and reroute internet traffic, said it began experiencing what security experts called a distributed denial-of-service attack about 7 a.m. Reports that many sites were inaccessible started on the East Coast, but spread westward in three waves as the day wore on and into the evening.
In a troubling development, the attack appears to have relied on hundreds of thousands of internet-connected devices such as cameras, baby monitors and home routers that have been infected — without their owners’ knowledge — with software that allows hackers to command them to flood a target with overwhelming traffic.
Indeed, Marc Dupuis, a professor at the University of Washington, Bothell, who specializes in cybersecurity, said the proliferation of web-connected devices beyond the traditional realm of personal computers can make such attacks more devastating.
Not only tablets and smartphones, but internet-connected cameras and kitchen appliances can be marshaled for criminal purposes. “Some of these toys for kids have internet connectivity,” he says. “People don’t think about security for these devices.”
Dupuis said that at this point it’s hard to know where the attack came from. “There’s obviously some strategy involved in this,” he said, adding that the attack could be “using computers from all over the world.”
Security researchers have long warned that the increasing number of devices being hooked up to the internet, the so-called Internet of Things, would present an enormous security issue. And the assault Friday, security researchers say, is only a glimpse of how those devices can be used for online attacks.
A spokeswoman, meanwhile, said the FBI and the Department of Homeland Security were looking into the outage and all potential causes, including criminal activity and a nation-state attack.
Kyle York, Dyn’s chief strategist, said his company and others that host the core parts of the internet’s infrastructure were targets for a growing number of more powerful distributed denial-of-service, or DDoS, attacks. “The number and types of attacks, the duration of attacks and the complexity of these attacks are all on the rise,” York said.
Dyn, based in Manchester, N.H., said it had fended off the assault by 9:30 a.m. But by 11:52 a.m., Dyn said it was again under attack. After fending off the second wave of attacks, Dyn said at 5 p.m. that it was again facing a flood of traffic.
A DDoS attack occurs when hackers flood the servers that run a target’s site with internet traffic until it stumbles or collapses under the load. Such attacks are common, but there is evidence that they are becoming more sophisticated and increasingly aimed at core internet infrastructure providers.
Going after companies like Dyn can cause far more damage than aiming at a single website.
Dyn is one of many outfits that host the Domain Name System, or DNS, which functions as a switchboard for the internet. The DNS translates user-friendly web addresses like fbi.gov into numerical addresses that allow computers to speak to one another. Without the DNS servers operated by internet service providers, the internet could not operate.
In this case, the attack was aimed at the Dyn infrastructure that supports internet connections. While the attack did not affect the websites themselves, it blocked or slowed users trying to gain access to those sites.
York said in an interview Friday during a lull in the attacks that the assaults on its servers were complex.
“This was not your everyday DDoS attack,” York said. “The nature and source of the attack is still under investigation.”
Later in the day, Dave Allen, general counsel at Dyn, said tens of millions of internet addresses, or so-called IP addresses, were being used to send a fire hose of internet traffic at the company’s servers. He confirmed that a large portion of that traffic was coming from internet-connected devices that had been co-opted by a recently discovered type of malware, called Mirai.
Amazon said on a site showcasing the status of its web services that some customers had trouble connecting to endpoints in its Northern Virginia region between 4:30 and 6:11 a.m. Pacific time. A similar problem was seen in its Ireland region, the company said.
Amazon said the root of the problems laid with an unspecified third-party Domain Name System provider. “We have now applied mitigations to all regions” to prevent similar effects, Amazon said, adding that during the outage, all the security controls of its cloud-computing service continued to operate normally.
Dale Drew, chief security officer at Level 3, an internet service provider, found evidence that roughly 10 percent of all devices co-opted by Mirai were being used to attack Dyn’s servers. Just one week ago, Level 3 found that 493,000 devices had been infected with Mirai malware, nearly double the number infected last month.
Allen added that Dyn was collaborating with law enforcement and other internet service providers to deal with the attacks.
In its most recent DDoS trends report, VeriSign, a registrar for many internet sites that has a unique perspective into this type of attack activity, reported a 75 percent increase in DDoS attacks from April through June, compared with the same period last year.
The typical attack more than doubled in size. What is more, the attackers were simultaneously using different methods to attack the company’s servers, making them harder to stop.
The most frequent targets, by far, were businesses that provide internet infrastructure services like Dyn.
“DNS has often been neglected in terms of its security and availability,” Richard Meeus, vice president for technology at Nsfocus, a network-security firm, wrote in an email. “It is treated as if it will always be there in the same way that water comes out of the tap.”
Last month, Bruce Schneier, a security expert and blogger, wrote on the Lawfare blog that someone had been probing the defenses of companies that run crucial pieces of the internet.
“These probes take the form of precisely calibrated attacks designed to determine exactly how well the companies can defend themselves, and what would be required to take them down,” Schneier wrote. “We don’t know who is doing this, but it feels like a large nation-state. China and Russia would be my first guesses.”
It is too early to determine who was behind Friday’s attacks, but it is this type of DDoS attack that has election officials concerned. They are worried that an attack could keep citizens from submitting votes.
Thirty-one states and the District of Columbia allow internet voting for overseas military and civilians. Alaska allows any Alaskan citizens to do so. Barbara Simons, the co-author of the book “Broken Ballots: Will Your Vote Count?” and a member of the board of advisers to the Election Assistance Commission, the federal body that oversees voting technology standards, said she had been losing sleep over just this prospect.
“A DDoS attack could certainly impact these votes and make a big difference in swing states,” Simons said Friday. “This is a strong argument for why we should not allow voters to send their voted ballots over the internet.”
This month the director of national intelligence, James Clapper, and the Department of Homeland Security accused Russia of hacking the Democratic National Committee, apparently in an effort to affect the presidential election. There has been intense speculation about whether President Obama has ordered the National Security Agency to conduct a retaliatory attack and the potential backlash this might cause from Russia.
Gillian Christensen, deputy press secretary for the Department of Homeland Security, said the agency was investigating “all potential causes” of the attack on Friday.
Vice President Joe Biden said on the NBC News program “Meet the Press” this month that the United States was prepared to respond to Russia’s election attacks in kind. “We’re sending a message,” Biden said. “We have the capacity to do it.”
But technology providers in the United States could suffer blowback. As Dyn fell under recurring attacks Friday, York, the chief strategist, said such assaults were the reason so many companies are pushing at least parts of their infrastructure to cloud computing networks, to decentralize their systems and make them harder to attack.