On October 21st, a company called Dyn sustained a massive Distributed Denial of Service (DDoS) attack against its managed DNS infrastructure. A Denial of Service attack is one where its purpose is to prevent others from being able to utilize the service or system that is targeted. It’s Distributed because multiple points of origin are used by the attacker. This particular DDoS was designed in such a way to overwhelm Dyn by throwing more traffic to it than it can normally handle.
This is no small feat because Dyn has one of the most sophisticated and resilient network operations as it provides high level DNS (Domain Naming Service) services to many of the largest internet properties, DNS is the internet’s phone book. When you browse a website or use an online service, it provides the address that corresponds with the website. (for example www.google.com would translate to 188.8.131.52)
The effect of this massive attack was that certain companies including Box.com, Netflix, Twitter, Spotify, and Paypal were effectively offline or incredibly disabled
So wait, “why is that my fault?” you ask? Fair question. You see, these attacks came from Internet connected devices, sometimes referred broadly as IoT or Internet of Things. These “things” or devices all belong to you. They are your web cameras, your thermostats, your smart bulbs, and smart refrigerators. Many of these items will automatically configure themselves into a state that not only leaves it insecure, but leaves your home network insecure. Those companies are trying to build devices that are easy to use for the general consumer and aren’t all that concerned with how well they are secured.
In the case of this attack against Dyn, these were largely camera digital video recorders installed on residences and small businesses. The kind that you can buy at Costco or Home Depot. They probably asked you to make changes to your router or maybe they did it for you to allow you to access these systems remotely from your smart phone. This way you can make sure your kids come home on time from school and that shifty employee isn’t stealing copier paper while you’re waiting for your latte at Starbucks. These security camera systems or DVRs were set up with default passwords or no passwords at all. Accessing them by an outsider was trivial. Over time, a group of hackers had created a botnet, a large networks of zombie computers waiting for an attackers commands, using some malware called Mirai.
This Mirai based botnet was used initially on September 20th against the Krebs on Security site, a frequent target of hackers because of Brian Kreb’s scathing reporting. After the October 21st event, it was used to take out Liberia’s Internet access. During the Dyn attack, only 100,000 infected nodes were used and additional steps weren’t taken to amplify the attack such that more traffic was generated with the same amount of infected computers nor did they use more infected computers that were at its disposal because they really didn’t have to. The attacker could use those for a rainy day.
Typically security flaws that are uncovered only affect the person or company that owns the company in question. However, whether its devices like these that are used to attack another firm or a car that is cyber-hijacked, these systems have become potential weapons against others. Security and cryptography expert Bruce Schneier believes that there needs to be regulation on these IoT devices. Like Schneier, I’m not a proponent of regulation in general, however in this case setting some minimum standards may need to happen.
“An additional market failure illustrated by the Dyn attack is that neither the seller nor the buyer of those devices cares about fixing the vulnerability. The owners of those devices don’t care. They wanted a webcam — or thermostat, or refrigerator — with nice features at a good price. Even after they were recruited into this botnet, they still work fine — you can’t even tell they were used in the attack. The sellers of those devices don’t care: They’ve already moved on to selling newer and better models. There is no market solution because the insecurity primarily affects other people. It’s a form of invisible pollution.”
It is, of course, more complex than that and as we all know, these changes take time whether there is a regulation or if its market forces. There are some things we can do in the meantime to be diligent and protect our corporate networks (and maybe our homes too).
1). Identify these devices in your environment. Without knowing what you have, you really can’t move forward
2). Separate these devices into a different network that cannot talk to your internal devices except to connect to basic network resources that are required
3). Adjust your firewall rules to keep watch on the connections these networks make, also known as egress filtering. Your TP-Link lightbulb probably only needs to connect to TP-Link’s cloud servers to get updates and to allow control, not to the PlayStation network
4). Ensure that automatic updates are turned on, and as a corollary, if the system doesn’t have auto-updates, don’t buy it!
5). Check your firewall rules to ensure that only minimally required connections are allowed from the outside
6).Change any default passwords used by these devices, even if they are cryptic and stuck to the bottom of the unit. Chances are they are algorithmically made and someone has figured out how to crack it.
7). Buy well known brands with good reviews
The only way we can affect the market going forward is by raising our expectations with the products we buy. And the only way consumers will be able to do that is to read independent reports unless there is an industry or government regulation compelling otherwise. In the meantime we can also take some precautionary steps to ensure we aren’t a victim and we aren’t unwittingly used as an attacker.