I hope somebody's paying attention. There's been another big DDOS attack, this time against the infrastructure of the Internet. It began at 7:10 a.m. EDT today against Dyn, a major DNS host, and was brought under control at 9:36 a.m. According to Gizmodo, which was the first to report the story, at least 40 sites were made unreachable to users on the US East Coast. Many of the sites affected are among the most trafficed on the web, and included CNN, Twitter, PayPal, Pinterest and Reddit to name a few. The developer community was also touched, as GitHub was also made unreachable.
This event comes on the heels of a record breaking 620 Gbps DDOS attack about a month ago that brought down security expert Brian Krebs' website, KrebsonSecurity. In that attack, Krebs determined the attack had been launched by botnets that primarily utilized compromised IoT devices, and was seen by some as ushering in a new era of Internet security woes.
There are differences in the two attacks, however. The attack on Krebs, while expensive to fight off, was launched against a single website and had little to no effect on the workings of the web itself. Today's attack focused on DNS, in effect the Internet's phone book for matching domain names with IP addresses, and therefore affected a slew of sites. A coordinated attack such as this, targeting numerous DNS servers, could temporarily make the Internet all but unusable nationwide.
So far there's been no indication from Dyn on either the size of the attack or on whether IoT devices were used. However, it's safe to assume that the attack was massive, as DNS servers are for obvious reasons generally well protected.
Whether or not this particular attack utilized IoT devices (almost undoubtedly, at least to some degree it did), today's action should be seen as yet another wake up call about a severe Internet vulnerability needing to be fixed. That today's attack wasn't against a single website but against the Internet itself should also be worrisome, especially since security experts have been recently raising red flags to warn us that essential public services, which includes our power grid and potentially our water supply, are also vulnerable.
We should also be concerned that the frequency of massive DDOS attacks is liable to increase, especially now that the black hats can easily add unintelligent "smart" devices to their aresenal. In a post about today's attack on Dyn, Krebbs points to recent extortion attempts against infrastructure providers that have been reported on WebHosting Talk.