How was the Internet of Things able to take down the Internet with a DDoS?

DDoS from IoT Devices On October 21st, a large number of websites, including some of the biggest names, were knocked off the Internet by a massive distributed denial-of-service (DDoS) attack. A DDoS attack occurs when thousands to millions of devices send traffic to a target, completely overloading its servers or Internet connection.

The recent attack targeted a company called DYN, a DNS service provider for thousands of companies. DNS translates the name of an Internet host like theprivacyblog.com and converts it to an IP address like 52.204.10.149. Your computer then uses this to do the actual communicating. By disrupting DYN, the attackers prevented this translation from happing for the companies DYN supports, making them unreachable for many users.

To cause this disruption, the attackers sent a staggering 1.2 Tbps (trillion bits per second) of data. Typical home Internet might max out at 15 Mbps (million bits per second). Therefore, this would be equivalent to 80,000 home connections simultaneously sending everything they could to this one company. In fact, this attack utilized many more devices, sending only a smaller amount of data each to add up to that gigantic total.

Interestingly, the attack did not use compromised personal computers (typically the most common method), but rather compromised Internet of Things (IoT) devices. IoT devices include surveillance cameras, smart TVs, home routers, and smart thermostats. Most of these are designed with very weak security and often have built-in, hard to change default passwords. A malware tool called  Marai, recently released to the public as source code, was the technology behind exploiting these vulnerable devices. Anyone could have used Marai to create an enormous swarm of compromised devices, which could be launched against any target they pleased.

Unfortunately, there is very little incentive for the makers of IoT devices to create them using real security. So far, they have not been held responsible for damages, and neither they nor their users typically experience any direct harm from the attacks. ISPs also have some ability to detect and block attacking traffic and vulnerable devices, but only at significant cost and annoyance to their legitimate customers.

Because these devices have a relatively long shelf life, it may take years after the makers are finally forced, in one way or another, to secure the devices before we see any real benefits from the change.

[Updated 10/27 to improve clarity]