Last Friday (21 Oct), one of the largest DDoS attacks ever seen, created widespread internet outage affecting services from Twitter, AWS, Reddit, Netflix, Spotify, CNN, Paypal, NY Times, WSJ, and others. The attack was directed at Dyn, a domain name service provider, whose servers interpret internet addresses, directing web traffic to the affected companies. Dyn are like an internet postal code or zip code lookup system. A statement from Dyn reported traffic from “10s of millions of IP addresses”, and customers of affected sites were unable to access web services for about two hours. Two things stood out about this DDoS attack: (1) The increased traffic was not aimed directly at the networks affected, but targeted at DNS servers hosted by Dyn, and (2) The attack was conducted through a botnet of infected IoT devices, known as Mirai.
As one commentator on Twitter put it – the internet which was designed to withstand nuclear attack, was taken down by a bunch of toasters.
There are several methods of conducting DDoS attacks, however the method utilised here involving large numbers of source devices, is particularly difficult to defend against. Mirai is the same botnet recently used to attack the website of security journalist Brian Krebs. The source code for Mirai was made public at the end of last month, so it is likely that there are several variations out there. The botnet searches the internet for IoT devices that can be accessed through known default passwords. Botnets have been advertised on the Alpha Bay dark net market for as little as $7500 per 100,000 devices, capable of generating 1 terabit of traffic.
In last week’s attack, IoT devices were not the target, they were the attack vector. Infected IoT devices were commandeered to bombard Dyn’s DNS servers, and by inundating these services were able to deny legitimate customer access to the networks of affected companies. Many of the IoT devices employed in Friday’s attack are from Chinese firm Xiongmai Technology, a manufacturer of cameras and surveillance camera components. Xiongmai reported they had recently disabled Telnet access to many of their devices. Xiongmai also released a statement saying that they will recall many products utilised in the attack – a rare event recalling hardware for a software issue. My guess is that the company will be shipping with remote software update capability in the near future.
IoT manufacturers typically lack the skills and motivation to add security. Security is not a strong selling feature for IoT devices. Compliance is probably the best way to ensure IoT devices are shipped with sufficient security built in.
Although Dyn reported that last week’s attack came from “10s of millions” of IP addresses, this does not necessary mean it involved that number of devices. The Mirai botnet can randomise source IP address. It is likely however that a large number of devices were involved (perhaps half a million, but nothing like 10s of millions). I have previously warned about DDoS attacks from IoT devices. With an increasingly large number of IoT devices being deployed (Gartner predict over 20 billion devices by 2020), many with insufficient security, there will certainly be more attacks from this direction in the future.
High profile internet companies should use a secondary back-up DNS to protect against such an attack on a DNS server in the future. These companies should also make their TTLs (Time to Live) longer enabling cached domain names to be utilised.