Krebs wrote that releasing that software, called Mirai, “virtually [guaranteed] that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”
The first of those attacks to be successful on a broadly destructive scale transpired on Friday.
“This feels new,” Bruce Schneier, a long-time computer-security researcher, told me by phone on Friday. “There hasn’t been a successful attack like this before.” There have been many unsuccessful ones that may have been larger, he added.
Andy Ellis, the chief security officer at Akamai, agreed. Akamai is one of the largest distributed cloud services on the web, serving between 15 and 30 percent of all web traffic. Some of its DNS products compete with Dyn’s.
“You never know how big an attack is on someone else,” said Ellis. He said this was a “watch-and-see” moment: Until Dyn describes the attack further, the security community would not know if this was an attack of unprecedented size or if it was one that had happened to find a specific weakness.
Neither Schneier nor Ellis would speculate about who might have perpetrated the attack.
“It could be orange elephants who became literate, for all we know,” Schneier said. “It might be three guys in Topeka.”
On his website, Krebs pointed out that a Dyn security researcher gave a talk on Thursday about the perils of internet-of-things botnets and the history of one DDoS mitigation firm in particular. Sometimes a retribution-style attack can follow a presentation of this type.
The attack demonstrates the fearsome power of internet-of-things botnets. Last month, Schneier argued in Motherboard that the government must regulate internet-of-things cybersecurity. “The market can’t fix this because neither the buyer nor the seller cares,” he wrote:
What this all means is that the [internet of things] will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on [internet of things] manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
Ellis struck a less apocalyptic tone when he described the situation on the phone to me.
“Historically, when you see new attack capabilities show up —in volume or type of attack—you see some outages, then you see people adapting, then people make the investments needed to scale up infrastructure,” he said.
This isn’t even the first immobilizing attack on a DNS server ever. On the morning of June 15, 2004, a DDoS assault on Akamai’s DNS servers effectively blocked access to the websites of Apple, Google, Microsoft, and Yahoo. That outage did not last as long as Friday’s assault, though.