Saturday, October 22, 2016

A Series Of (Clogged) Tubes

If you're like me, you had to deal with serious problem getting on some of your favorite internet sites on Friday because of a massive attack on the net's ability to handle and route web site requests.  It would be like if all the East Coast's traffic lights went from green to red and back to green every couple of seconds, because they all got conflicting commands to change the lights.  Nobody would be able to get anywhere, and that's what happened with Dyn's DNS servers and internet traffic 24 hours ago.

Dyn offers Domain Name System (DNS) services, essentially acting as an address book for the Internet. DNS is a system that resolves the web addresses we see every day, like https://www.WIRED.com, into the IP addresses needed to find and connect with the right servers so browsers can deliver requested content, like the story you’re reading right now. A DDoS attack overwhelms a DNS server with lookup requests, rendering it incapable of completing any. That’s what makes attacking DNS so effective; rather than targeting individual sites, an attacker can take out the entire Internet for any end user whose DNS requests route through a given server.

“DNS registrars typically provide authoritative DNS services for thousands or tens of thousands of domain names, and so if there is a service-impacting event the collateral damage footprint can be very large,” says Roland Dobbins, a principal engineer at Arbor Networks, a security firm that specializes in DDoS attacks. 
DDoS is a particularly effective type of attack on DNS services because in addition to overwhelming servers with malicious traffic, those same servers also have to deal with automatic re-requests, and even just well-meaning users hitting refresh over and over to summon up an uncooperative page.

Now, Internet backbone companies like Dyn deal with these attacks all the time.  But this was an attack of such incredible scale that it took even them by surprise.

The overall picture is still somewhat hazy, but more information has become available as the day has progressed. Initial reports indicate that the attack was part of a genre of DDoS that infects Internet of Things devices (think webcams, DVRs, routers, etc.) all over the world with malware. Once infected, those Internet-connected devices become part of a botnet army, driving malicious traffic toward a given target. The source code for one of these types of botnets, called Mirai, was recently released to the public, leading to speculation that more Mirai-based DDoS attacks might crop up. Dyn said on Friday evening that the security firms Flashpoint and cloud services provider Akamai detected Mirai bots driving much, but not necessarily all, of the traffic in the attacks. Similarly, Dale Drew, the chief security officer of Internet backbone company Level 3, says that his company sees evidence of their involvement.

So America's internet-enabled devices, from cameras to DVRs to baby monitors to thermostats and lighting, are all small computers able to serve as unwilling hosts in an army of devices that can send these requests to flood the internet's traffic cops, and America just hasn't been thinking about how many of these devices there are, or how to secure them from malware that recruits them as a massive network of attackers.  The problem of course is that this scenario shouldn't have taken Dyn by surprise at all:

There’s also a potential motive to use a Mirai hack against Dyn, or at least a certain irony in it. The company’s principal data analyst, Chris Baker, wrote about these types of IoT-based attacks just yesterday in a blog post titled“What Is the Impact On Managed DNS Operators?”. It appears he has his answer. And that all DNS services, and their customers, should be on notice.

And the notice is "We failed.  Do better.  The next attacks will be coming."  The reality is that expecting American consumers to upgrade the firmware on their internet-enabled toasters is exactly what led to Friday's event, because the companies selling "the Internet of Things" aren't selling them with any protections.  And we're going to be dealing with cleaning that up for quite some time.

No comments:

Post a Comment