How a DDoS Cyberattack Caused Widespread Internet Outage

(Image credit: acid2728k |

If you were trying to catch up on the latest news or check out what was trending on Twitter this morning, you might have received a message that said that your browser couldn't connect to the server. Twitter, Reddit, Spotify and even news sites such as CNN experienced a widespread outage early today due to a so-called DDoS cyberattack that affected many users on the East Coast of the United States, according to several news outlets. How does this attack work, and what does it do?

The culprit behind the outage is what's known as a distributed denial-of-service attack, or DDoS, which was mounted against a company called Dyn DNS. It's one of the more common types of cyberattack, though today's incident was a bit more widespread than usual, because most attacks focus on one site. One of the largest DDoS attacks ever targeted the BBC sites and its on-demand media service, reported The Hacker News.

A DDoS attack works by essentially overloading the target server with requests to connect. This is not unlike overwhelming a receptionist at a big company with phone calls, bombarding the phone lines with calls. [The 8 Craziest Intelligence Leaks in US History]

Ordinarily, a phone call comes in, and it can be directed to the right person or extension. Sometimes, lots of calls come in and a secretary can put you on hold before eventually connecting the call. But now, imagine if the number of those incoming calls goes way up. The poor receptionist can't field all of the calls at the same time, so lots of people would end up on hold for longer periods of time, while other callers wouldn't be able to get through at all, because all the lines are busy.

With a DDoS attack, replace phone calls with requests to connect to a website via the internet. Essentially, the server gets overwhelmed. The "distributed" part of the acronym is because the requests can come from many places, and, as the name suggests, and can deny the website's service to others. DDoS attacks can take a number of forms, but the basic principle is the same: take up all the bandwidth with lots of traffic.

To mount a DDoS cyberattack, a hacker needs lots of machines that are set to make a request. One way to get lots of requests to a website is to send out a bot. A bot (short for "robot") is a program that will do things automatically, such as try to connect to a website, or carry out some computing tasks. Bots have a lot of legitimate uses in distributed computing, such as when there's a task that no one machine can handle on its own. But, bots have become more famous in recent years for their use in cyberattacks.

One way to distribute a bot to many computers is via a virus, or malware, according to Incapsula, one of many providers of Internet security and DDoS defense. Such malware can operate in the background and the infected computer user isn't even aware of what's happening.

There are also voluntary DDoS attacks, such as what's known as a Low Orbit Ion Cannon (LOIC), according to Radware. This is a simple program that's designed to flood servers with connection requests and it's often used to "stress test" networks. LOIC has also been used for more malicious means, including by the hackers group Anonymous when they used the program to attack the Recording Industry Association of America site in 2010. LOIC is considered to be a relatively primitive program now, because the kinds of attacks it mounts aren't always distributed and can thus be traced to a single IP address — in other words, a single computer. But, the principle is the same one that's used in more sophisticated hacks. [Best Hacks by the Hacktivist Group 'Anonymous']

In the case of today's DDoS attack, though, more than one website was affected. This is because instead of flooding a single site with connection requests, the attacker went after Dyn, which provides part of the Domain Name System, or DNS. The DNS is the directory that your computer connects with to match a website name — for instance, — to a string of numbers, which is the IP address (similar to the way you look up a phone number by name in a phone book).

An attacker flooded Dyn with traffic, which overwhelmed the company's ability to handle it. As such, whenever a user tried to connect to Twitter, for instance, he or she wasn't able to do it, even though Twitter itself was still operational. Another way to think about it is if you went to a library to look up a number in a phone book, but someone hired a bunch of people to grab all the copies before you could get there.

As of Friday afternoon it appears the attacks are ongoing, though the exact details have yet to be determined.

Original article on Live Science.

Jesse Emspak
Live Science Contributor
Jesse Emspak is a contributing writer for Live Science, and Toms Guide. He focuses on physics, human health and general science. Jesse has a Master of Arts from the University of California, Berkeley School of Journalism, and a Bachelor of Arts from the University of Rochester. Jesse spent years covering finance and cut his teeth at local newspapers, working local politics and police beats. Jesse likes to stay active and holds a third degree black belt in Karate, which just means he now knows how much he has to learn.