On Friday, many popular websites and mobile apps experienced repeated outages, the result of a massive hacker attack. Here is what we know so far about:
Someone launched a massive Distributed Denial of Service (DDoS) attack against Dyn, a provider of Domain Name Services (DNS) – a critical technology necessary for the functioning of the modern Internet. At a simple level, DDoS attack involves flooding servers with bogus, legitimate-looking requests, thereby overwhelming them and preventing them from performing their intended function for parties with real, legitimate requests. DNS refers to a service that, among other things, allows people to refer to computers on the Internet by name, rather than by an IP numeric address. By overwhelming Dyn’s servers, people could not reach many sites and apps that rely on Dyn to translate their names into addressable locations – if your computer or mobile device cannot find the IP of Twitter.com, for example, you cannot communicate with, or utilize, Twitter.
How was the attack launched?
At least some of the attack utilized Mirai, code that was recently released on the Internet that allows anyone using it to commandeer various Internet of Things (IoT) devices and assemble an army of “zombies” (often termed a “botnet”) which he or she can then use to carry out nefarious activities. In the case of the attack on Friday, we know that large numbers of webcams were involved in flooding Dyn with requests.
Was the massive attack shocking?
No. There was another massive attack directed against cybersecurity writer Brian Krebs’s website earlier this month that was also launched from IoT zombies, and the code used is likely the code that was later released as Mriai. At least one other similar attacks occurred shortly thereafter against another party. Corrective actions were not taken after the attack on Krebs to fix the vulnerabilities in at least many of the devices that allowed it to happen. Furthermore, discussions of IoT-launched DDoS attacks are not new – here is an Incapsula post from last year about one involving video cameras.
Who launched the attack?
It is unclear if anyone other than the party who launched the attack knows the answer to this question – assuming that the entire attack was carried out by just one party, which may or may not be the case. While the attack did require some sophistication, an attack leveraging recently released malware code to shut down a DNS provider does not seem characteristic of a state-sponsored actor.
Will similar attacks and outages happen again?
Likely. IoT devices are proliferating at a rapid rate and, at least when it comes to consumer devices, are rarely as secure as classic computers. Hackers are exploiting this reality and have no reason to stop doing so, especially when malware code is available online – reducing the bar for creating a powerful attack.
What needs to be done to prevent future attacks?
While entire books could be written on preventing DDoS attacks and on IoT security, here are three important elements:
1. IoT devices need better security – there are reasons why many IoT devices are made insecurely – in the case of consumer products, for example, people often prefer to purchase and use less expensive products that are insecure over more expensive products that are more secure; a behavioral change must occur, whether encouraged by government, by industry standards, and/or by consumer demand. Hangzhou Xiongmai, a Chinese manufacturer of webcam components that were exploited in the recent attack, is now recalling its devices; these circuit boards and cameras use standard not-changed-when-installed default passwords, making takeover by hackers and malware simple.
Securing numerous different types of IoT devices is not a simple task that can be solved with a single approach; as Michael Kaiser, Executive Director of the National Cyber Security Alliance, pointed out at a recent gathering, the “Internet of Things” is really “The Internet of a Billion Things,” but, it is not unreasonable to expect certain universal (or near universal) practices such as prompting users to change devices’ default passwords during initial set up.
2. People deploying IoT devices need to understand the risks and better protect against attacks – The present attack may have leveraged people’s webcams to attack third-parties, but next time, the infected webcams might have been used to spy on their owners. (Such breaches have already happened.) People need to understand the risks – and utilize the security features of their devices. There are also other actions people can do to reduce risks form IoT devices; perhaps I will discuss them in a future article.
3. DNS needs to be updated for today’s Internet – DNS, originally designed in the 1980s, was not intended to handle the needs to today’s Internet. It is, in some ways, an Achilles Heel of the Internet; most organizations rely (de facto) a single provider as their primary source of publishing DNS information. It is 2016, and time to for experts to collaborate to design better plumbing for the Internet that eliminates all “single points of failure” (or near-single points of failure).