It was all over the news. A sustained DDoS attack that caused outages for a large number of web sites Friday was launched with the help of hacked “Internet of Things” (IoT) devices. Jeff Jarmoc tweeted: “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” True words, that.
Early Friday morning someone trained their DDoS attack on Dyn, an Internet infrastructure company that provides critical DNS technology services to major websites. The attack immediately created problems for internet users of Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.
This outage was similar to the recent record 620 Gbps (!) DDoS attack on IT security reporter Brian Krebs’ site, caused by the Mirai botnet which consists of hacked IoT devices — mainly compromised digital video recorders and IP cameras made by a Chinese hi-tech company called XiongMai Technologies.
The components that XiongMai makes are sold downstream to vendors who then use it in their own products. All credentials are hardcoded in the firmware and cannot be changed. This is a very dangerous practice and we need laws against this ASAP.
Who Is Learning How to Take Down the Internet?
Last month, IT security Guru Bruce Schneier caused waves when he wrote that someone — probably a country — was learning how to take down the internet:
“Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.
These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.”
It’s either a large country, or these two other scenarios:
1) Someone tried to extort DYN and when they did not cough up the dough, they decided to show them what they could unleash.
2) Anonymous and/or other hacktivists decided to flex their virtual muscle and show netizens they are still a force to be reckoned with. Either way is disconcerting.
Hmmm. What can you do about this?
Well, not much. But don’t put any of your own critical command & control infrastructure like managing chemical plants, water treatment or power plants in a position where they require the internet to function.
However, and this is something all of us can do, set up redundant DNS providers so that when one is under attack you can shut it down and let other DNS services take over.
Know This Secret Of The Net: One Big Buggy Beta
Guys, I have been saying this for years now:
Most people look at me surprised when I tell them the internet is still in beta, but it’s true.
Vint Cerf, the father of the Internet said so himself. He was quoted in the book Fatal System Error: “My thought at the time, thirty-five years ago, was not to build an ultra-secure system, because I could not tell if even the basic ideas would work. We never got to do the production engineering.”
If you know software development jargon, that means it remained in beta… and -has- been up to now. The protocols they built at the time focused on fault tolerance, they simply were not built for security and the net is one big buggy beta. Unfortunately, the bad guys know this full well, and are exploiting it to the limit.