Friday’s Massive DDoS Attack on Dyn: Exposing the Security Flaws of the IoT

At as many as three times this past Friday, massive DDoS attacks on one of the country’s major domain registration service providers—Dyn—took down some of the biggest sites on the web. Twitter, Netflix, Reddit, and Spotify all suffered from disruptions, and, in some cases, complete outages for several hours as the company worked through the issues.

As the DNS service and its clients recover from this downtime, details around the Dyn DDoS attack are beginning to come to light. By mid-afternoon on Friday, Internet security journalist Brian Krebs, citing cyber-threat intelligence firm Flashpoint, announced via Twitter that the Dyn attack was the result of a Mirai-based IoT botnet. This was later confirmed by Dyn’s Chief Strategy Officer Kyle Owen.

Essentially, a Mirai botnet takes advantage of Internet of Things devices (like your Nest thermostat, for example) that still rely on their default factory username & password credentials. After taking control of millions of smart home and other connected devices with weak security, Mirai uses them to overload networks with garbage traffic & requests, turning them into cyber traffic jams.

Given the scope and severity of the outage, the Department of Homeland Security and FBI are looking into Friday’s Dyn DDoS attack. Unfortunately, for the time being, that probably means little: Mirai software is freely available online, according to Re/code, and with IoT devices in millions of homes and growing, the relative ease of pulling off an attack like this means we are likely to see similar outages reoccur in the future.