You might have noticed something strange in your Internet adventures last Friday — the distressing absence of a large part of it. An official statement from Internet provider giant Dyn released Friday explains what happened, and why it might happen again.
Large sections of the Internet became basically inaccessible last week, as three massive Distributed Denial of Service (DDOS) attacks hit a company called Dyn. This company provides Domain Name Services (DNS) hosting for hundreds of websites including Twitter, Reddit, Amazon, Netflix, PayPal and so on. A DNS host basically “places” a website on the web, by connecting each computer’s IP address to the domain names of sites a user is trying to access, such as “ZMEScience.com”. Take the host out of the equation, and the other two can’t communicate — like cutting the chord between two landlines.
A DDOS attack consists of a large number of computers which simultaneously issue a massive number of fake visits on a server, basically flooding a website with connection requests, information requests — anything to keep the servers busy. Because the website host can’t tell which of the requests are valid and which are fake, they have to let them all through. The servers overload, buckle, and then nobody can access them anymore. Now, for the scary bit.
Welcome to the Internet of Things
DDOS’s are one of the oldest tricks in the book. As such, hosting companies like Dyn have robust systems in place to deal with them. They test their system against mock “stresser” services, which do the same thing, regularly. Hackers looking to launch a denial of service attack have to create specific software, then infect as many computers as possible (the botnet) and run shell programs off of them — the bigger the botnet, the more powerful the flood.
For the most part, PCs have (at least) decent firewalls and antivirus programs that defend them against this type of software. So it can be hard for hackers to gain the numbers to make a dent in servers such as the ones Dyn uses. Hosting companies just have to make sure their servers can handle more traffic than hackers can realistically throw towards them, and that’s that.
Friday’s attacks, however, used a new approach: the botnet wasn’t made up of computers like the one you’re reading this article on, but other kinds of digital devices connected to the web. Think gadgets such as smart TVs, security cameras, DVRs, webcams, even web-connected thermostats and coffee makers — collectively known as the Internet of Things (IoT). It’s a ridiculously huge entity, but these devices have lousy security for the most part. When’s the last time you changed the username and password on your fridge? Exactly.
Because users don’t update these devices’ software, use factory-set accounts and passwords, and vulnerable coding, these devices are easy to hack en-masse. Dyn’s chief strategy officer Kyle York said the company recorded tens of millions of IP addresses in the attack, a huge botnet of IoT devices turned towards bringing down their DNS services.
Krebsosecurity reported that a piece of malware called Mirai was involved in the attack, The program allows pretty much anyone to create personal botnet armies, after its source code was released last month on the Internet.
“Mirai scours the web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users,” Krebs, a US security blogger, explained.
Since then, Chinese electronics company XiongMai has recalled its products, after discovering that its surveillance cameras were used in the attack. This is a particularly disturbing problem as many companies who sell security oweb cameras buy their tech from XiongMai, put on a fresh coat of paint and sell them under their own brand name. So yes, the webcam you’re staring down on right now could very well be XiongMai tech.
“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Flashpoint’s researcher Allison Nixon told Krebs. “Some people are theorising that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack.”
Dyn was ultimately able to restore hosting services on Friday, and with it, access to Twitter, Amazon, and all the other sites. But this attack could be just a preview. The complexity of botnet systems like Mirai and the vulnerability of IoT devices paint a pretty grim picture between them.
“[I]nsecure IoT devices are going to stick around like a bad rash – unless and until there is a major, global effort to recall and remove vulnerable systems from the internet,” explains Krebs. “In my humble opinion, this global clean-up effort should be funded mainly by the companies that are dumping these cheap, poorly-secured hardware devices onto the market in an apparent bid to own the market. Well, they should be made to own the cleanup efforts as well.”
Just in case you missed it, you can read Dyn’s statement here.