Wondering what on earth we are on about? Let us catch you up….Whilst we were kicking back here on the deck in NZ enjoying our Labour weekend barbie, quite a few people in the US were trying to login to their Netflix to be met with an error. They may have then jumped to their Spotify account or their Twitter feed which were also unresponsive. Coincidence? Unfortunately not. All of these sites, plus many others, were impacted by a "well organised and globally distributed" DDoS attack which disrupted a significant portion of global Internet traffic, starting in the US, Europe and most recently affecting a handful of Aussie enterprises. In this two part blog series we’ll explain why the recent IoT-powered DDoS attacks should serve as a wake-up call to Kiwi organisations and service providers alike and what steps you can take to prevent your organisation being comprised by a potential attack.
A DDoWha and a Dnwho?
DDoS: A DDoS or Distributed Denial of Service attack is when shady cyber-crims use a large number of hacked or ill-configured systems to flood a target site web address/application with so much junk traffic that it can no longer serve legitimate visitors and in turn takes the site or service down.
DNS: In long form - Domain Name System services is an essential component of all websites, responsible for translating human-friendly website names like “example.com” into numeric, machine-readable Internet addresses. Anytime you send an email or browse a website, your machine is sending a DNS lookup request to your Internet Service Provider (or if you’re into your acronyms - ISP) to help route the traffic.
In 2016, DNS is a fundamental element of an enterprise or service provider’s critical infrastructure. DNS provides the translation between domain names that we use every day i.e. netflix.com and machine-readable IP addresses. In short, without DNS services, users simply are not able to reach websites, even though the sites themselves may be running just fine.
This attack was particularly damaging as it wasn't focused on a single specific domain, but rather a popular DNS provider - Dyn. Many major internet properties and Software as a Service brands leverage Dyn for DNS services and were impacted as a result. A quick visit to DownDetector.com will show you the many popular sites impacted:
The skinny on DDos Attacks: DDoS attacks against DNS providers are generally more challenging to accomplish than a standalone brand given the redundant nature of services which suggests that this attack came with significant global firepower. On the other hand, DNS attacks when successful are more damaging as they impact any internet properties relying on that particular DNS provider.
DDoS attacks have been in the spotlight recently after popular security journalist “old mate Krebs” had his site taken offline by what at the time was considered the largest DDoS attack ever recorded based on traffic volume. That attack was particularly scary, not just because of the size, but because it was powered by thousands of IoT devices (or should we say Internet of Things which are run of the mill household devices from sensors through to baby monitors and everything between that can be controlled through the internet).
It's no secret that Internet-connected devices have for years been sold with weak to nonexistent security and known default passwords that are never changed. This was, however, a moment where the risk posed by such devices was on clear display. Post that attack, the source code from the KrebsOnSecurity DDoS attack was leaked online and, not surprisingly, it appears that Saturday's Dyn DDoS attack was powered at least in part by the same Mirai code and vulnerable IoT devices, including webcams and DVRs.
So what’s the big deal and what does it mean for Kiwi businesses? The damage caused to world leading brands in recent attacks, and the fact that such attacks can be conducted by small team or even determined teenagers from the comfort of their own bedroom should serve as a wake-up call to enterprises everywhere. Organisations often mistakenly assume that their Internet/IT infrastructure is simply "too big to fail." They’ve purchased significant amounts of bandwidth, rarely coming anywhere near peak capacity, and they leverage service providers that can deliver more as needed. Yet the reality of a DDoS attack exceeding 1000 Gbps, as was the case in the KrebsOnSecurity attack, is that any site would struggle to stay afloat. Bandwidth alone isn’t enough.
Interestingly, someone is now targeting infrastructure providers with extortion attacks. According to a forum on Reddit, a discussion thread started Wednesday this week on Web Hosting Talk, criminals are now invoking the Mirai author’s nickname in a bid to extort Bitcoins from targeted hosting providers.
“If you will not pay in time, DDoS attack will start, your web-services will go down permanently. After that, price to stop will be increased to 5 BTC with further increment of 5 BTC for every day of attack.
NOTE, I’m not joking.
My attack are extremely powerful now – now average 700-800Gbps, sometimes over 1 Tbps per second. It will pass any remote protections, no current protection systems can help.”
Enterprise and service providers alike require proactive DDoS defence services to mitigate the attacks as they emerge. The fact that such attacks were driven by insecure globally distributed IoT devices that are easy to identify and exploit is deeply concerning as it exposes tremendous firepower to even small, unsophisticated groups of attackers.
The massive IoT-powered DDoS attacks against KrebsOnSecurity and Dyn should serve as a wake-up call for traditional hardware security vendors and businesses across our region. To find out how to protect your organisation check out part two of our blog If the likes of Netflix, Spotify & Twitter can go down what does that mean for my organisation?