This attack is the latest in a string of record breaking DDoS hacks that are only getting more vicious
A massive distributed denial of service (DDoS) attack targeting DNS firm Dyn succeeding in affecting service to major sites like Twitter, Amazon, and Netflix yesterday, leading many to question the fragility of the US infrastructure.
According to media reports, the hackers utilized a botnet to carry out their attack, comprised of a multitude of Internet of Things (IoT) devices, hijacking them to overwhelm Dyn’s capacity to facilitate legitimate requests. The hacked devices are believed to have included everything from CCTV cameras to baby monitors.
At this point it is believed that the attack occurred in three waves, creating sustained disruptions for Dyn’s customers.
In his post discussing the attack, Brian Krebs cited a report from the cyber security firm Flashpoint that identified the hack as being based on the Mirai malware strain. The source code for Mirai was released recently by the originating hacker, giving others the opportunity to use it for their own ops.
This is the same code that tried to take down Krebs’ site last month with an unprecedented 620 Gbps DDoS attack.
In looking to understand why targeting Dyn had such wide reaching effects on the rest of the internet, here is a brief analogy for how Domain Name System (DNS) works. It is basically a post office, directing traffic to websites through its directory, understanding that a web address is associated with certain details like an IP address. So then just like a post office at Christmas, an overload of requests can bog it down and keep letters from reaching their destination.
The IoT security conundrum
What differentiates this attack from DDoS ops of the past is the incorporation of IoT devices. If previously hackers would create botnets, a network of compromised computers, to produce the overload of requests, using malware to, as Krebs describes amplify their influence and overload the target with requests, this attack turned instead to IoT.
While the move to make more of our regular devices smarter by connecting them to the internet has come with all kinds of advantages, like programming our coffee machine or controlling our lightbulbs, it has come with a price to security. These devices are very vulnerable to attack in part to the lack of regulation and standards for security.
When a personal computer manufacturer builds their device, they incorporate all kinds of security measures into it. They also make it very easy for users to get in and adjust basic things like usernames and passwords. It has been revealed that many of the IoT devices out there, which the manufacturers never intended to be tinkered with for some reason, all use the same credentials. So if a hacker is able to break into one of these devices, then they can probably access the other thousands – if not more of them – that are out there. Most users will never know how to get in and actually make the changes that could increase the security for their devices. Add to this that while many of the devices may be “connected,” there’s no way to really update them with patches if necessary, leaving them vulnerable.
What makes this situation even more perilous is the rapid growth of IoT devices out there on the market, with some estimates from folks like Cisco believing that there will be some 50 billion connected devices in the wild by 2020.
Over the summer, Geektime had the opportunity to discuss IoT security with Comcast’s head of security Noopur Davis.
“How do you authenticate fifty billion devices?” Davis asks, adding that she believes that blockchain and other authentication systems are interesting options for the short term, but that something new will be needed to take on this challenge as it continues to develop.
One of the challenges in this field she cites is that because it is so new and so many new actors are getting involved who do not come from the tech sector, it feels a bit like the Wild West when it comes to regulating security.
“The problem is that people are thinking about standards, but ultimately in IoT, there are the standard ways to go where you get approval from somebody like the Underwriters Laboratories that gives you a stamp of approval. But the other side of me says that when you have one and two-dollar lightbulbs coming from someplace where they are really not thinking about [security], and people are more concerned about the price rather than if it conforms to a standard, then what do you do there?”
How do you solve a problem when it appears that neither the buyer or seller really seems to care about security?
Some companies like the Israeli Secret Double Octopus are working on the scalable solutions for securing these devices, but the short answer is that so long as there are so many different players and no standards, this will be an uphill battle.
One possible solution is to develop new ways of identifying what kind of device is on the other end of a request. The recently launched Reposify is offering a service that will help researchers and security professionals determine if the machine that is looking to access a web page is a PC or a light bulb, potentially helping defenders put up restrictions that will only let through apparently legitimate requests.
This attack was expected
Security researcher Matt Blaze probably put the reaction to this attack most succinctly with his Twitter post yesterday:
BREAKING: Thing everyone warned would happen, happened.
— matt blaze (@mattblaze) October 22, 2016
In September, famed security researcher Bruce Schneier wrote that Verisign — the registrar for domains like .com — noticed that someone was probing them, testing their defenses and response times. He says that they were not the only ones.
He believed that a nation state like China or Russia were looking for ways to quickly take down the internet should they so desire. While this seems likely due to the intensity of effort needed to do this effectively, the easy access to code like Mirai means that smaller actors like criminals could be likely suspects as well. Hard to tell at this point.
What is clear is that this attack should have been expected. And by all accounts it was. The problem is that defenders do not have good response to DDoS attacks. Some services like Akamai which were mentioned above can help, but they might find themselves overwhelmed. Moreover, implementing the proper defenses can be exceedingly expensive, and not available to all companies.
The funny thing here is that DDoS is not actually a particularly sophisticated attack, essentially using brute force to crush their target. Even if you put up advanced defenses, the internet is structured in a way that someone can still beat the hell out of you with a big enough club.
With so much of the economy, as well as far more critical services, dependent on connecting to the internet, you’d hope that this will become a higher profile issue.
However, until some kind of major change comes — if ever — for the IoT sector, then the target pool of devices that hackers could use for carrying out their attacks will grow exponentially. The DDoS used against Krebs was nearly double the speed of the previous record holder, which was clocked in at only 363 Gbps. We are still waiting for the details on this last one.
The next one could make this past Friday look like a tsunami over a wave pool.