
A map of the parts of the internet affected by Friday’s attack. The redder an area is, the more heavily it was affected.
If youâve been reading about the cyberattack that took place last Friday and are confused by the jargon and technobabble, this primer was written for you! By the end of this article, youâll have a better understanding of what happened, what caused it, and what can be done to prevent similar problems in the future.

While Iâve gone to great lengths to make this article easily understood by non-techies, itâs still a little long because of all the material that has to be covered. Feel free to grab your favorite beverage before settling in to read it!
Before I explain the attack, letâs cover some terminology. Itâll make it easier to understand what happened…
Whatâs DNS?

DNS is short for Domain Name Service. It translates domain names â names like google.com, slideshare.net, wikipedia.org, and so on â into their corresponding IP (internet protocol) addresses, each of which is a set of numbers that specifies a computer connected to the internet. Every computer and device connected to the internet has a unique IP address assigned to it; without an IP address, thereâs no way it can send or receive information to and from the internet.
DNS is often described as âthe phone book of the internetâ: just as old-school phone books like the one in the photo above were used to look up the phone number corresponding to a given name, DNS is used to look up the IPÂ address numbers corresponding to a given domain name. As you might have deduced, DNS is a key part of internet infrastructure; without it, connecting to anything on the internet is much, much harder.
If youâd like a more in-depth (but still non-techie-friendly) explanation of DNS, I recommend reading George Flanaginâs DNS Explained So You Can Understand.
Whatâs a denial-of-service attack?

A denial-of-service attack â often called by its short form, a âDoS attackâ â is an attempt to make a network resource, such as a web site or service, unavailable to its intended users. This is typically done by having computers bombard a site or service with superfluous or nonsense requests so that its ability to fulfill real requests is either reduced or eliminated. Wikipedia has a good analogy for DoS attacks: âIt is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations.â
You may often seen the term âDosâ with an extra D: âDDosâ. Thatâs short for distributed denial-of-service attack, which is a denial-of-service attack being performed by a large number of computers, often spread throughout the globe. These days, most denial-of-service attacks are distributed ones, and DoS and DDoS attacks are pretty much the same thing.
If youâd like to learn more about Dos/DDoS attacks, Digital Attack Mapâs Undertsanding DDOSÂ page is a layperson-friendly starting point.
Whatâs Dyn, and what do they do?

Dyn is a company that provides sells all sorts of internet infrastructure services including DNS, which was the first service they provided.
The âPhone book of the internetâ analogy is a very big simplification of how DNS actually works. The task of resolving domain names into IP addresses is actually carried out by a large number of internet-connected computers. When you connect to the internet at home or in a small office, chances are you’re using the DNS provided by your internet service provider for free as part of the service.
There are times when the DNS provided by an internet service provider wonât cut it, and thatâs where third-party DNS services come in handy. Some home internet service providers run DNS servers that are slow or unreliable; I once had a home provider that gave me great bandwidth but terrible DNS. In such cases, you can switch to the free DNS provided by Google by changing your computerâs network settings. Thereâs also the case of popular sites and online services that get lots of traffic â the numbers of people trying to connect to them online are so large that they need to make use of commercial DNS, which is designed for high throughput and reliability. Dyn provides such a service to businesses that deal with large volumes of internet traffic, including Twitter, Zappos, and Etsy.
There are a number of reasons to use third-party DNS instead of the service provided by your internet service provider. Digital Citizen lists them in their article, 6 reasons why you should use third-party public DNS servers.
Whatâs the internet of things?

The âinternet of thingsâ â often shortened to IoT â is a catch-all term that we use to describe everything that we donât usually think of as a computer that is connected to the internet. A âsmart thermostatâ that lets you use an app to adjust the temperature in your house while youâre on your way home is an IoT device. So is a home security system that you can activate remotely and notifies you of break-ins even when you’re on the other side of the world. So are internet-enabled security cameras that let you keep an eye on your home and pets through a web site while youâre at the office.
The things in the internet of things are typically connected to the internet as one or both of the following:
- As a sensor, providing some kind of measurement data, such as temperature, speed, signals from an RFID chip or tag, pressure, sounds picked up by a microphone, sights caught by a camera, and so on. These devices have sensors that can take real-world measurements and turn them into digital data that can then be transmitted on the internet.
- As a computer, performing some number-crunching and causing some action to be taken, with some examples being: turning on the air conditioning or heating, rotating a camera in a certain direction, and unlocking or locking a door. These devices have small computers â some of which have power that rivals desktop computers from only a few years ago â embedded in them.
A number of internet of things devices connect to the internet as both sensor and computer. For example, a smart thermostat functions as a sensor when getting the temperature of the room, and as a computer when turning on cooling or heating to reach a desired temperature. A smart camera functions as a sensor when taking video, and as a computer when changing its focus or direction.
IBMâs video, How It Works: Internet of Things, is a good primer on the internet of things and some of its practical applications.
Whatâs a botnet?

A botnet â the term is a combination of ârobotâ and ânetworkâ â is a collection of internet-connected computers networked together and using their spare processing power and network bandwidth to perform some kind of coordinated (and usually malicious) action. The computers on a botnet are usually commandeered without the approval or knowledge of their owners.
- On desktop and laptop computers (as well as some less-secure mobile devices), this is typically done by tricking the user into installing malware without his or her knowledge, which lets the botnet controller use any spare processing power and network bandwidth that the computerâs owner isnât using.
- On IoT devices, itâs often done by taking over their embedded computers. Many of these devices have a built-in account with easy-to-guess or easy-to-find usernames and passwords that grants full control over them. Thereâs malware called Mirai and Bashlight that scans the internet for these easily-compromised devices and uses these accounts to take them over.
Once you have a botnet, you can harness its power to do all sorts of unsavory things. Two of the most popular uses for botnets are sending spam and launching denial-of-service attacks.
For more on botnets, see How-To Geekâs article, What is a botnet?
Okay, you just defined five technical things. Now can you tell me what happened to the internet on Friday, October 21, 2016?

Hackreadâs animation of what happened last Friday. Click the image to see the source.
Hereâs what happened, using all the terminology we just covered:
On Friday, October 21, 2016 at around 6:00 a.m. EDT, a botnet made up of what could be up to tens of millions of machines â a large number of which were IoT devices â mounted a denial-of-service attack on Dyn, disrupting DNS over a large part of the internet in the U.S.. This in turn led to a large internet outage on the U.S. east coast, slowing down the internet for many users and rendered a number of big sites inaccessible, including Amazon, Netflix, Reddit, Spotify, Tumblr, and Twitter.
Flashpoint, a firm that detects and mitigates online threats, was the first to announce that the attack was carried out by a botnet of compromised IoT devices controlled by Mirai malware. Dyn later corroborated Flashpointâs claim, stating that their servers were under attack from devices located at millions of IP addresses.
The animation above is a visualization of the attack based on the devicesâ IP addresses and IP geolocation (a means of approximating the geographic location of an IP address; for more, see this explanation on Stack Overflow). Note that the majority of the devices were at IP addresses (and therefore, geographic locations) outside the United States.
Whatâs âMiraiâ all about?

The anime character “Anna-Senpai”, a.k.a. Anna Nishikinomiya. Yes, this is where it gets a little weird.
As I mentioned earlier, Mirai is the name of the malware that was used to seize control of poorly-secured IoT devices and coordinate them into Fridayâs attack. It propagates itself by continuously searching the internet for IoT systems that can be taken over by logging into them with the built-in default or hard-wired usernames and passwords.
Fridayâs attack isnât the first Mirai attack to make the news. In September, internet security journalist Brian Krebsâ Krebs on Security site was targeted by a Mirai botnet in an attack powerful enough to affect the Akamai content distribution network (thatâs no mean feat â take a look at their customers to get an idea of the amount of data they can distribute through the internet). The attack on Krebsâ site was likely in retaliation for his series of articles on the takedown of vDOS, a DoS-for-hire business (yes, thereâs a business model for denial-of-service attacks). The publication of these articles coincided with the arrest of two men that Krebs named as vDOSâs founders.
On Friday, September 30th, someone going by the name of and using the image of âAnna-Senpaiâ (a character from the Japanese comic book and animated series Shimoneta: A Boring World Where the Concept of Dirty Jokes Donât Exist â I told you it would get a little weird, didnât I?) posted the source code of Mirai to Hackforums, an online discussion board where people who like to break into and disrupt other peopleâs computers hang out. Anna-Senpai released the source code as part of an announcement that s/he was getting out of the DoS-for-hire business, as s/he was under growing scrutiny from people in the internet security business (and likely law enforcement as well). Hereâs what s/he wrote:
âWhen I first go in DDoS industry, I wasnât planning on staying in it long. I made my money, thereâs lots of eyes looking at IOT now, so itâs time to GTFO.â [Hereâs the Urban Dictionary definition of GTFO, in case you need it. Be advised that the âFâ in GTFO is a swear word.]
In continuation with the anime-fan theme, âMiraiâ is a less-common Japanese girlâs name. It means âfutureâ.
Krebs has a good guess as to why Anna-Senpai released the code into the wild:
Itâs an open question why anna-senpai released the source code for Mirai, but itâs unlikely to have been an altruistic gesture: Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home. Publishing the code online for all to see and download ensures that the codeâs original authors arenât the only ones found possessing it if and when the authorities come knocking with search warrants.
The publication of Miraiâs source code will likely have the following short- and long-term effects:
- In the short term, it will enable a number of reasonably tech-savvy, socially-maladjusted people to launch their own attacks, including the one we saw on Friday. This will also hinder attempts by law enforcement to find the parties responsible for creating Mirai and using it.
- In the long term, it will help prevent future attacks based on Miraiâs approach. Internet security professionals are already studying the code in an attempt to find ways to counter it.
What are these poorly-secured IoT devices?

Brian Krebs has been working overtime recently, and covered this topic well in an article titled Who Make the IoT Things Under Attack? This is where the publication of Miraiâs source code turned out to be a good thing; it contains the usernames and passcodes it used to access poorly-secured IoT devices. By matching these to the known factory default settings of IoT devices, it was possible to determine which makes and models of IoT devices were compromised.
Krebs published a list of compromised IoT devices, including the usernames and passwords used by Mirai to gain unauthorized access to them. Many of these passwords are so laughably bad that your email service or online banking wouldnât allow you to use them, and in one case â the Vivtoek IP camera â thereâs no password at all.
A number of these username/password combinations are for maintenance purposes and hard-wired into the devices; they cannot be changed by their users. Imagine manufacturing hundreds of thousands, or even millions, of cars or door locks that can all be opened with the same, easily-copied key. Thatâs pretty much what these manufacturers have done.
Chinese technology manufacturer Hangzhou Xiongmai Technology (who often refer to themselves as âXMâ) have admitted that some of their products, which include webcams, digital video recorders, and white-label components used by other device vendors were partially responsible for Fridayâs attack. At the time of writing, their response has been to recall a pitifully small number (10,000) of their webcams, and to threaten legal action against anyone who they say tarnishes their brand.
What can you do?

If youâre reading this, itâs quite likely that youâre based in North America. Given that most of the attacks came from outside North America and originated on devices that arenât common in North America, itâs unlikely that any of your devices were part of Fridayâs botnet attack. However, it doesnât mean that they could be used in future attacks.
As individuals, the best thing we can do is secure our home routers. They act as the gateway that our devices at home use to reach the internet, and theyâre the first, best place to take security measures. Youâll need to access your routerâs settings (these are different for various makes and models, so youâll have to consult the manual) and perform these steps:
- Change the administrative password for your router. By âadministrative passwordâ, I mean the password used to access the settings for the router, not the password to get on the wifi network. Mirai works by logging into devices using default usernames and passwords, so make sure youâre not using the default password!
- Disable remote management, especially remote management through telnet. Telnet is a protocol that lets one computer remotely control another, and for most non-techie users, it isnât useful. Disabling remote management and telnet cuts off one of Miraiâs avenues to the devices on your home network.
- Disable Universal Plug-and-Play (also known as UPnP). Itâs a protocol designed for devices on home networks to find and communicate with each other, and most routers have it enabled by default. It is a big security hole that malware like Mirai can exploit, and disabling it is unlikely to make any difference in the way you use your devices at home.
If your router is more than a few years old, get a new one. This is even more important if youâve been using your current one without a password or the default one. You may find that in addition to being more secure, itâs also faster.
If youâre using the default password on any device, change it now! Once again, part of Miraiâs effectiveness is based on our laziness â it counts on people not changing the default passwords on their devices to gain access to them without permission.
What else can be done, part 1: We all have to stop being so damned cheap

Buying things based primarily on price only starts a race to the bottom, and this is doubly true for the internet of things. Adding sensors, computers, and networking capability to things naturally makes those things more expensive. Vendors and manufacturers who compete primarily on price love to cut corners, and quality â which includes security â often gets cut with them.
As customers, we need to stop buying based just on price, and as vendors and manufacturers, we have to stop using price and start using quality as our main differentiator (and this means taking security very seriously, and not treating it as an afterthought). This is a chicken-and-egg problem, but itâs one we must solve in order to prevent the internet of thingsâ downward slide.
What else can be done, part 2: It may require law enforcement and governments to step in

In the rather libertarian world of technology, suggesting the increased involvement of law and government in our sphere may be anathema, but it might be the best alternative. Techiesâ preferred approach is to let the free market solve problems, but security guru Bruce Schneier explains why it might not work in this case, because the incentives that usually drive free market corrections arenât there:
The market can’t fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know Brian. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.
What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don’t care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.
What else can be done, part 3: Internet service providers need to get better at detecting and mitigating these attacks

A map of the world’s submarine cables. Click to see the source.
In a world that is increasingly dependent on computers, devices, and networking, internet service providers canât be content to simply shuttle bits around. They may need to consider examining the kind of traffic they allow through them, and weâll all need to consider what kind of impact this move would have on security, privacy, and the principle of network neutrality.