The Day The Internet Died
Well, not exactly, but close. And it was not due to pictures of Kim Kardashian.
Here is what happened.
When you type in the name of a website to visit, say Facebook.com, the Internet needs to translate that name into an address. That address might look like 157.240.2.35 .
The software that translates those names to numbers is called DNS or Domain Name System. DNS services are provided by many different companies, but, typically, any given web site uses one of these providers. The big providers work hard to provide a robust and speedy service because to load a single web page may require many DNS lookups.
One provider that a lot of big websites use is called Dyn (pronounced dine). Today Dyn was attacked by hackers. The attack technique is called a Distributed Denial of Service Attack or DDoS. DDoS is a fancy term for drowning a web site in far more traffic than it can handle until it cannot perform the tasks that customers expect it to do.
In this case, customers included sites like Amazon, Paypal, Twitter, Spotify and many others. These sites were not down, it was just that customers could not get to them.
The attacks started on the east coast, but added the west coast later. Here is a map that pictures where the worst of the attack was. In this picture from Downdector.com, red is bad.
There were multiple attacks, both yesterday and today. The attackers would attack the site for a few hours, the attack would let up and then start over again. For the moment, the attack seems to be over, but that doesn’t mean that it won’t start back up again tomorrow, Monday or in two weeks.
You may remember I wrote about the DDoS attack against Brian Krebs web site and the hosting site OVH. Those two attacks were massive – 600 gigabits per second in the Krebs attack and over 1 tb per second in the OVH attack. The attackers used zombie security cameras and DVRs and the Marai attack software to launch these two attacks.
After these attacks, the attacker posted the Mirai software online for free and other attackers have downloaded it and modified it, but it still uses cameras and other Internet of Things devices that have the default factory passwords in place.
As of now, we don’t know how big this attack was, but we do know that at least part of it was based on the Mirai software. And that it was large. No, HUGE.
It is estimated that the network of compromised Internet of Things, just in the Mirai network, includes at least a half million devices. Earlier reports said that the number of devices participating in this attack was only a fraction of the total 500,000 – which means that the attack could get much bigger and badder.
The problem with “fixing” this problem is that it means one of two things: Fixing the likely millions of compromised Internet of Things devices that are part of some compromised attack network or shutting there devices down – disconnecting them from the Internet.
The first option is almost impossible. It would require a massive effort to find the owners of all these devices, contact them, remove the malware and install patches if required. ISPs don’t want to do this because it would be very expensive and they don’t have the margin to do that.
The second option has potential legal problems – can the ISP disconnect those users? Some people would say that the actions of the infected devices, intentional or not, likely violates the ISP’s terms of service, so they could shut them down. However, remember, that for most users, if the camera is at their home or business, shutting down the camera would likely meaning kicking everyone at the home or business off the Internet. ISPs don’t want to do that because it will tick off customers, who might leave.
Since there is no requirement for users to change the default password in order to get their cameras to work, many users don’t change them. Vendors COULD force the users to create a unique strong password when they install their IoT devices, but users forget them and that causes tech support calls, the cost of which comes out of profit.
As a result of all these unpalatable choices, the problem is likely to continue into the future for quite a while.
Next time, instead of Twitter going down, maybe they will attack the banking infrastructure or the power grid. The good news is that most election systems are stuck way back in the stone age and they are more likely to suffer from hanging chads than hackers.
Until IoT manufacturers and owners decide to take security seriously – and I am not counting on that happening any time soon – these attacks will only get worse.
So, get ready for more attacks.
One thing to consider. If your firm is attacked, how does that impact your business and do you have a plan to deal with it?
The thousands of web sites that were down yesterday and today were, for the most part, irrelevant collateral damage to the attacks. Next time your site could be part of the collateral damage. Are you ready?
Information for this post came from Motherboard and Wired.