The Internet of (Scary) Things

September 24, 2016 CyberCecurity Leave a comment

UPDATE: Brian’s web site is not back with Akamai, but rather with Google’s Project Shield. Project Shield is an effort by Google to support free speech to journalists around the world. If they accept your web site, there is no cost. And Google probably has a fair amount of both bandwidth and brainpower to stop cyber attacks. No doubt they get hacked at from time to time.

Brian Krebs is a former WaPo writer who focused on cyber security until the Post decided that cyber security was not their thing, When he and the Post parted ways, Brian started a blog called Krebs on Security (which is a great blog if you don’t already read it) and wrote a book on the innards of the Russian spam mafia.

Very recently he exposed a group of Israeli “business people” who run a large DDoS for hire service called vDOS. A DDoS is an attack against a target web site designed to flood the site with traffic and effectively shut it down. His attention to vDOS got the owners arrested.

About four days ago his web site was taken offline by a very large, sustained DDoS attack. His site is hosted by Akamai (for free) and they told him that they were going to have to shut down their support because they could not handle the attack – it was too much for them.

The attack measured a sustained attack rate of over 600 gigabits per second. This, Akamai said, was double the next largest attack that they had ever had against any customer.

What was going on behind the scenes is not clear, but the tech community came down on Akamai like a ton of bricks. Akamai competitor Cloud Flare offered to host the site.

72 hours later KrebsOnSecurity.com is back online, apparently with Akamai. During those 72 hours, I think, Akamai engineers analyzed the attack and figured out a way to mitigate it.

Many of these large attacks use an attack technique called amplification. With amplification attacks, the attacker sends out a relatively small stream of data and the attack gets amplified many times as it hits the target. One example of an amplification attack is a DNS attack where the attacker sends a particular DNS request to a DNS server to resolve with the “sender” of the request spoofed to be the target. Because of the way the request is structured, a 40 byte request might generate a 4,000 byte response to the target, so, in this hypothetical case, we have an amplification of 100x. This means that if the attacker has/uses 1 gigabit of bandwidth, he would generate 100 gigabits of attack traffic on the target. Very few sites can survive under this attack without the support of a firm like Akamai or Cloudflare and their site would stay down until the attacker got tired. That could be minutes, hours or days.

What is different about this attack is that rather than using a few drone computers and an amplification style attack – which is relatively easy to mitigate – this attack used hundreds of thousands of devices, which made it very difficult to block.

What is unclear right now is whether Akamai’s engineers mitigated the attack or the attackers made their point and moved on.

Now the scary part from the subject.

Brian is saying on his blog that it appears that these hundreds of thousands of devices may be infected Internet of Things (IoT) devices such as web cameras, digital video recorders and routers.

As I have written before, many of these devices have horrible security, making the process of turning them into zombies relatively easy.

The next scary part is what this means for businesses. It is certainly possible that this could be the new norm for DDoS attacks. We are dealing with a client now who has been DDoSed a number of times and every time that happens, their ISP just shuts down their Internet connection. Sometimes for a few hours, sometimes for a day. In the mean time this client’s users have to resort to using some other form of Internet access – maybe their cell phone data plan with it’s ridiculously slow speed and data caps – to get online. This has a dramatic effect on their business.

My question for you today is “Is your business prepared to deal with a DDoS attack?” All it takes is for someone to be upset with you for some perceived slight and you could be under siege. There are many other DDoS for hire services like vDOS and their prices are insanely check. They are hosted in places like Russia and Ukraine, so our ability to shut them down using the courts is pretty much nill. When this happens, your ISP’s first strategy is going to be to turn off your Internet connection. Now it is your problem.

You might say that you have a Service Level Agreement (SLA) with your provider and if they shut you off they have to pay a penalty. I would say two things about that. Let’s say that you pay $2,000 a month for your Internet connection (I know, most of you pay a lot less, but I want to make a point here). In that case, your SLA probably says that they have to pay you $66 a day that you are down, but typically only if you are down for say, over 12 or 24 hours. So they write you a check for $66 and your business is in the stone age for a day. If you are down for a week, that would cost them $466.

How much would it cost you to be down for a day or a week?

IF you have cyber insurance and you have coverage that covers you for this kind of attack, the business interruption coverage might kick in. We have seen a lot of those policies that have a 24 hour waiting period before coverage kicks in and if you are down for 18 hours each, several times over a month, that 24 hour waiting period applies to each event, typically.

AND, even more important, your ISP might say that the DDoS attack violates your terms of service or contract that they are not liable for anything. If they say that, you are left to sue them in court. That is not a very positive scenario.

The moral of the story is that you need to have both an incident response plan and disaster recovery/business continuity plan.

For more information on the attack on Brian’s web site, read his blog, here.