Last Friday, the internet experienced a monumental shutdown of Dyn servers, a DNS provider, through an unprecedented army of botnets, some of which were deploying the Mirai source code.
At 7:10 EDT on Friday morning, Dyn began investigating a DDoS attack against their infrastructure, that was mainly targeting the east coast of the United States. By 9:20 a.m. EDT, the attack had been mitigated, only to have servers taken down again in a separate attack two and a half hours later, according to their incident report.
In Dyn’s official statement on the attack, Kyle York, Dyn’s Chief Strategy Officer, says, “We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.”
However, the day before the attack occurred, Dyn posted an article on their blog about the impact that recent IoT attacks have had on DNS operators. Ironically, in reference to the Mirai botnet, Chris Baker, Dyn’s Principal Data Analyst, explains that this particular botnet has an ‘exhaustion function’ that leaves an “authoritative DNS provider with a fingerprint”. He also mentions that this “requires an in-depth logging history for a high volume systems with some potential privacy implications.”
So what could have been done to prevent this massive attack that occurred only one day later?
In a blog post about the attack, Daniel Smith, an Information Security Researcher for Radware, says that, “Internet clients could have avoided the outage on October 21st if they had used a 2nd party for their secondary DNS.”
Carl Herberger, an IT Security Expert for Radware, told Tech.Mic that the attack was most likely targeting the Dyn’s individual clients, not the DNS provider itself. Interestingly, the affected sites were outlets like Netflix, Spotify, and Tumblr that are most popular amongst Millennials.
“DNS has often been neglected in terms of its security and availability from an enterprise perspective,” Richard Meeus, of NSFOCUS, told the Inquirer. “This attack highlights how critical DNS is to maintaining a stable and secure internet presence, and that the DDoS mitigation processes businesses have in place are just as relevant to their DNS service as it is to the web servers and data centers.”
However, it’s not just the shared responsibility of web clients, DNS providers, and third-party DDoS protection services to protect against these threats.
On Sunday, a Chinese manufacturing company came forward and took responsibility for the role their internet-connected cameras and DVRs played in the massive DNS takedown. This was partly due to weak default passwords installed in the devices’ firmware.
However, Flashpoint’s Zach Wikholm told KrebsOnSecurity, “The issue with these particular devices is that a user cannot feasibly change this password.” He adds, “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”
On a consumer level, we’re not so good at passwords either.
According to a survey released today from IT security firm ESET, “more than 40 percent [of Americans] are not confident that IoT devices are safe, secure, and protect personal information.” Even so, almost 30% of respondents haven’t changed their router’s default settings, and 14% don’t even know how many devices are connected to their router.
Even amongst all of the finger pointing, we still don’t know who is actually responsible for the attack. There’s speculation between various hacking groups, along with this tweet from WikiLeaks, referencing a theory that the takedown was in revenge of Julian Assange’s own Internet shut-off:
Mr. Assange is still alive and WikiLeaks is still publishing. We ask supporters to stop taking down the US internet. You proved your point. pic.twitter.com/XVch196xyL— WikiLeaks (@wikileaks) October 21, 2016
With last month’s record 620 Gbps attack that took down security researcher Brian Krebs' website, the power behind current DDoS attacks is increasing. Who knows what’s coming next?