The Washington PostDemocracy Dies in Darkness

‘Internet of Things’ compounded Friday’s hack of major websites

What happens when you send an e-mail or buy something online? Most of what we do on the Internet requires sending data thousands of miles to other computers. But how does the data know where to go, and can it get lost or stolen along the way? (Video: Julio C. Negron, Craig Timberg and Jorge Ribas/The Washington Post)

A key part of the Internet's infrastructure was hit by a series of attacks Friday, causing major services such as Twitter, Spotify and PayPal to be inaccessible for many users around the world.

The attacks targeted Dyn, a company that helps people connect to websites, with a huge amount of traffic in an attempt to knock the service offline, the firm said. The incident showed how a digital assault on just one company can disrupt a huge chunk of the Internet.

Dyn chief strategy officer Kyle York said the source of some of the traffic that attacked the company came from compromised "Internet of Things" devices which include everyday items like baby monitors, webcams and even thermostats that can connect to the Internet.

The first cyberattack occurred around 7 a.m. Eastern, and primarily affected users on the East Coast, according to Dyn. It was resolved at roughly 9:20 a.m., the company said. Then a second attack began around 11:50 a.m., and a third attack in the afternoon, according to the company. The later attacks spread further, disrupting access to major sites for users in many different parts of the world, York said.

The attacks disrupted so many sites because New Hampshire-based Dyn is one of a handful of major Domain Name System, or DNS, service providers. DNS works sort of like a phone book for the Internet — translating URLs into the numerical IP addresses for the servers that actually host sites so your browser can connect to them.

On a call with reporters Friday afternoon, the company said they were still responding to the attacks.

"This is hitting our network from tens of millions of IP addresses around the world," York said. The third wave of attacks was resolved around 6 p.m. according to Dyn.

It remains unclear who was behind the attacks.

Issues with Amazon Web Services, a cloud hosting provider relied on by many popular sites, also occurred Friday morning. A status update posted on its website noted disruptions at roughly the same time as the first attack against Dyn.

“The root cause was an availability event that occurred with one of our third party DNS service providers,” the company said, although it did not specifically cite Dyn. (Amazon chief executive Jeff Bezos owns The Washington Post.)

The Department of Homeland Security said it is looking into the issue. "We're aware and are investigating all potential causes," DHS deputy press secretary Gillian Christensen said in an e-mailed statement.

The type of attacks targeting Dyn are commonly known as distributed denial of service, or DDoS attacks.

Last week a DHS cyber defense team warned that new strains of malware are using Internet of Things devices to carry out these attacks. In particular, the group warned about the source code for a variant called "Mirai" being released online.

One of the first major instances of Internet of Things devices being used this way was a record-breaking attack on journalist Brian Krebs's website last month, as Krebs himself reported.

Dyn helped Krebs investigate the attack and recently presented research on the case.

Experts have long warned that many Internet of Things devices are poorly secured -- often due to the speed at which they are brought to market.

"It's important for [Internet of Things] vendors who haven't prioritized security to take this escalating series of attacks as a wake-up call," said Casey Ellis, the founder of crowd-sourcing cybersecurity firm Bugcrowd. "We're entering a period where this is very real, calculable, and painful impact to having insecure products."

DDoS attacks, in general, have become more powerful and more frequent.

A recent report from cloud security provider Akamai said it saw a 129 percent increase in DDoS attacks against its customers in the second quarter of 2016 versus the same period last year.

That combination makes DDoS attacks hard for major sites to withstand, even services like Dyn that have regularly fended them off in the past.

"It's a real challenge," said York.

See where the Internet lives: Inside Google’s data centers

Thousands of feet of pipe line the inside of our data centers. We paint them bright colors not only because it's fun, but also to designate which one is which. The bright pink pipe in this photo transfers water from the row of chillers (the green units on the left) to a outside cooling tower. Douglas County, Georgia. See where the Internet lives: Take a look inside Google’s data centers around the world. See photos of the technology, people, and places that keep our products online. (Connie Zhou/Google)