istock-469460822

Here's What We Can Learn from the Cyber Attack That Broke the Internet

Yevgeniy Vahlis | Security First, Blog

On Friday, October 21, a major domain name system (DNS) provider called Dyn was subjected to a large-scale distributed denial-of-service (DDoS) attack. While at this early stage the details are still murky, it seems clear that Mirai botnet malware was involved in the attack.

In case you’re not a security geek like me, a DDoS attack is when a hacker takes control of a large number of individual computers on the Internet — each with its own unique IP address — and sends what looks like legitimate traffic to the targeted computers.

In the case of Dyn, the traffic was probably just DNS requests, where the requester asked to convert a domain name, such as www.amazon.com, into the IP address of a computer that can serve the content of Amazon’s website. Normally, a regular browser or email client can make such a request to find out which computer to connect to based on an action that the user takes. The DNS request is then followed by a content request to the IP address that was returned in response to the DNS query.

In case of a DDoS attack, however, the compromised computer that sends the request is not interested in the response, and in fact probably drops the connection before the response is even received. Instead, it sends out another DNS query, forcing the DNS server to allocate resources to serve the fake query. In the case of Friday’s attack, millions of distinct IP addresses (and therefore computers) were simultaneously sending these fake queries to one DNS server — the one owned by Dyn. As a result, any domain that was registered to be mapped to IP addresses through Dyn became inaccessible, including brands such as Amazon, Netflix, Shopify, Reddit, CNBC, GitHub and many others.

Some, like Amazon, have responded rapidly by switching their DNS registration to another provider. Others, such as GitHub, were not able to respond quickly enough and remained offline for hours. Since many tech companies use GitHub to host their code repositories, the outage cost many of them months or even years of cumulative wasted engineering time.

In light of Friday’s attack, two main questions are on everyone’s minds: How did someone gain control over millions of computers on the Internet, and what can be done to ensure it never happens again?

How Did Friday’s Attack Work?

The answer to the first question is embarrassingly simple, though it may not cover the entire fleet of zombie machines that was used in the attack. According to security firm Flashpoint, the Internet of Things botnet Mirai was involved in the attack (though it’s currently not clear what percentage of the attack traffic came from the botnet).

Mirai works by scanning the Internet for connected devices such as printers, IP cameras, routers and speakers; opening a connection to a known admin port; and trying a default login and password combination. Usually, it will try something like ‘admin’ and ‘password.’ There’s a very short list here, which may be incomplete. Amazingly, but perhaps not surprisingly, there are enough devices online where the password has never been changed that Mirai has been able to successfully construct a massive botnet.

There’s plenty of discussion online about the root causes that allow such software to be developed and deployed in production, or the lack of responsibility of the owners of those devices. We should learn a lesson from this and start writing more secure software, while also getting rid of passwords altogether and instead use something like Trusona’s service for passwordless authentication.

What Can We Do Today?

Rather than do a deep dive into that last point I’ll mention three strategies that companies can start following today to protect themselves against concerted DDoS efforts:

  1. Using Proof of Work (PoW). PoW is a cryptographic method that requires the requester to solve a mathematical puzzle before submitting a query. Solving the puzzle can take a few seconds and prevent any single device from rapidly sending requests to the same service. The good news is that there are services that provide PoW functionality as part of their products. One example is Cloudflare. Note that this approach can help a company that is a direct target of a DDoS, but will not be effective in cases where the attack is indirect (i.e., against a DNS server instead of the company’s servers), like the attack on Friday.
  1. Taking Advantage of Hard-Coded Fallback IP Addresses. This approach is applicable to products that have a native app that its customers can download. The app can contain an encrypted or obfuscated list of static IP addresses that are only used in case of an emergency to provide service. Naturally, the DDoS attacker can attempt to monitor when apps start using the fallback IPs and try to DDoS these addresses as well. However, this should provide a temporary respite and will prevent attacks against DNS servers from blocking access through the app.
  1. Having multiple channels for customers to interact with your service. This includes the various messaging platforms like Facebook, WhatsApp, WeChat or even SMS. By avoiding a single point of failure for access to your service, you are making the attacker’s job significantly more difficult. You are also putting a large amount of computer and networking infrastructure between your service and the customer, which can absorb a larger DDoS volume than if you were to rely on a single entry point.

Moving Forward in a World That Isn’t Secure

Historically we have enjoyed living in a (mostly) lawful society because laws exist and can be enforced. But the same is no longer true on the Internet. As the saying goes, “on the Internet no one knows that you’re a dog.” And with that anonymity, along with the vast number of Internet-enabled devices with poor security that have flooded the market, attackers are able to take any action on the Internet with impunity. Law enforcement is struggling to keep up and the result is an increase in the number of, and the scale of, attacks against legitimate Internet services.

However, the good news is that Friday’s attacks showed very clearly that companies, such as Amazon, that take a security first stance and prepare for the worst, are able to control their own fate and deal with adverse conditions on the Internet much better than companies that sheepishly look to others to solve their security problems.

Being able to cope with attacks, and to avoid being part of the problem through poor security practices, will become an evolutionary filter. Simply put, the businesses that can continue to operate even when subjected to malicious digital behavior will thrive, while their competitors will fade away.