A major attack brought down multiple major websites Oct. 21, 2016, in a show of one of the biggest vulnerabilities facing the internet today. This particular incident was brought on by a distributed denial-of-service initiative levied toward domain name system services provider Dyn, and crippled the online capabilities of companies such as Paypal, Spotify, Netflix, Twitter and other big names.
While DDoS is by no means a new strategy, this disconnection of service was felt all over the U.S., as well as in parts of Europe, according to Reuters. Security researchers, both in the public and private sectors, have since been looking for answers.
What they’ve found is that quite a lot of the traffic originated from devices considered to be part of the Internet of Things. This revelation underscores certain vulnerabilities in the IoT that must be addressed.
Terms to know
In order to understand the full magnitude of what happened to Dyn, let’s first take a step back and give a quick explanation to some of the terms used above.
A DDoS attack is basically where a hacker sends a large amount of traffic toward a server in order to force it to crash. Imagine that you’re holding a bucket. At the bottom of this container is a two inch hole. If you pour in a cup of water every second, the liquid will pass through the hole without an issue. However, if you decide to dump in 100 cups of water per second, the hole won’t have the proper time to process the liquid and the bucket will overflow.
A DDoS attack works something like that, where the bucket is the server’s elasticity in terms of internet traffic and the hole is it’s ability to process requests. Too much data translates to an overflowing bucket, but instead of wet shoes you have a machine that isn’t able to work properly.
Internet of Things
The other interesting aspect here is the use of IoT devices. These are everyday items that have been given an internet connection, and it would appear the Dyn attackers were using digital video recorders and webcams that had become compromised by Mirai malware, according to Reuters.
They basically infected these gadgets, formed them into a botnet of zombie devices, and had them lie in wait until the moment of attack. The IoT is a weak vulnerability security experts have been discussing for some time.
DNS is one of the most vital parts of the online experience, and providers such as Dyn allow for regular internet users to get everything they can out of this technology. Think of a DNS infrastructure like an address book. You may know your aunt’s full name, but you don’t know where she lives. If you want to send her a letter in the mail, you’d first have to look in your address book to ensure your message goes to the right address.
In an incredibly simplistic way, this how DNS servers work. While you know that you want to go to Netflix.com, that’s simply the site’s domain name. Your computer can’t read that, and therefore needs to know what the site’s IP address is. A DNS provider such as Dyn can help your machine find this code so you can get to your content.
So, now that you know all the major pieces here, it’s time to get into what actually happened. According to a post from Dyn CSO Kyle York, the first wave of attacks began around 7:00 a.m. Eastern Time.
Hackers routed traffic from multiple IoT devices, as well as several other botnets, directly toward Dyn’s DNS servers. As soon as the organization seemed to be getting on top of the first attack, the cybercriminal sent another wave which was mitigated around 1:00 p.m. Eastern Time. This created a long stretch of time where computers couldn’t reach their address books, thereby causing error screens all over the country. A third attack was levied at the company, but Dyn was able to avoid any further interruptions.
Although outages were intermittent between companies, a huge swath of large and small organizations were forced to deal with downtime during this barrage. One of the reasons for the extended period here had to do with how the attackers were disguising their data.
Reuters reported that the hackers were basically hiding their origins by utilizing traffic-routing services from Cisco’s OpenDNS and Google. This made it impossible for administrators to tell the difference between legitimate traffic and data coming from the compromised botnet devices.
Another big point to note here is that Dyn and other researchers still don’t know exactly who is behind this. Certain people have been pointing fingers, but there is currently no evidence that suggests where this came from.
The use of IoT devices is troubling
While the attack on Dyn has since been mitigated and services are working properly again, there is one major concern left: Can this happen again?
There’s no way to answer this for sure now, but it is clear that this was a big attack that leveraged a gaping hole in modern IoT security that still hasn’t been addressed. The issue at hand is the fact that many IoT devices are easily hacked. These gadgets are often given factory-setting login credentials.
The problem with this is that the average consumer often doesn’t know this, and they simply leave these credentials in place as they continue to use the device. Therefore, it is extremely easy for a hacker to brute force a list of known passwords in order to infect an IoT gadget.
While not being able to check Twitter or use Paypal may have been a bit of an inconvenience for consumers, the main issue here is that DDoS attacks are very often used to cover up a more malicious data breech. As it stands, there is no evidence that this recent attack against Dyn was meant to access information in any way. However, this should be a lesson on what can be avoided if the right organizations act now.
Regardless of how security experts feel about the trend, the IoT is here and it’s not going anywhere anytime soon. In fact, Gartner predicted there to be around 6.4 billion connected gadgets by the end of 2016. That’s quite a lot of attack vectors to consider, and shows just how important solving this problem is.
How can businesses and IoT manufacturers respond?
Therefore, both manufacturers and the consumers of their products need to do everything they can to avoid the infection of their devices. On the vendor side, this means attempting to protect lists of factory login credentials. Due to their ubiquitous nature, these passwords and usernames can’t be too varied, so it’s imperative that this information stays out of the hands of hackers and that security begins in the development cycle.
On top of this, consumers need to be made aware of the danger facing them and take steps by changing the login credentials on any devices that they purchase. What’s more, manufacturers should endeavor to prompt customers to alter this information during the setup process.
Finally, businesses with a heavy reliance on uptime should have a backup plan to mitigate the risk of a primary vendor being hit by a DDoS attack. Reuters reported that the sites that had access to backup DNS providers weren’t majorly affected by the event.