If you kept trying to access Twitter, Reddit, Spotify or Netflix during Friday’s massive internet outage, you were part of the problem.
Dyn, the company that manages traffic for those sites and that toppled under a huge cyberattack last week explained in a blog post Wednesday how it all went wrong.
Innocent attempts to reload pages on the sites just made things worse, the company said, causing servers to refresh their caches and creating “a storm of legitimate retry activity.”
“When…traffic congestion occurs, legitimate retries can further contribute to traffic volume,” wrote Scott Hilton, Dyn’s executive vice president of product. “We saw both attack and legitimate traffic coming from millions of [computing devices] across all geographies.”
New Hampshire-based Dyn confirmed that Mirai malware launched by a botnet made up the core of the distributed denial-of-service attack.
DDoS attacks work by clogging servers with traffic, essentially making it impossible for others to visit a website’s pages. Mirai has been the malicious software behind several notorious DDoS attacks recently, taking down cybersecurity expert Brian Krebs’ website by flooding it with 620 gigabits per second of traffic in September.
The malware hijacks internet of things devices — any simple household object with an internet connection — and enlists them in its massive botnet to take down websites in a coordinated swoop. Such IoT devices include surveillance cameras, DVRs, Smart TVs and refrigerators.
The first wave of attacks on Dyn came in from 7:10 a.m. to 9:20 a.m. ET, just as internet users on the East Coast were waking up and noticing that websites were down. The attacks had come from all over the world, and specifically targeted Dyn’s points on the East Coast.
The offensive swarmed swiftly, with high-volume floods of data packets disguised to look as if real users were trying to access pages. Traffic bursts were 40 to 50 times higher than normal, Dyn said. The sophisticated attack forced the company’s engineers to work on top of a server’s automated responses.
After about two hours, Dyn managed to fend off the attack, but not for long. The second wave struck at about 11:50 a.m. ET, just two hours after the dust had settled from the first assault.
Because the tactics were about the same, though, Dyn was able to get its servers back up in about half the time, the company said, despite the second strike being from more locations. The aftermath from the DDoS attacks lingered on until about 4 p.m. ET on Friday.
Dyn is cooperating with a criminal investigation and declined to speculate on why it was attacked.