DNS service provider Dyn was attacked several times on Friday via a DDoS (distributed denial of service) – hackers basically flooded their systems with so much traffic that nothing could get through. This impacted Dyn clients such as Twitter, Netflix, The NY Times, Spotify, and others. This was a sophisticated, highly distributed attack involving tens of millions of endpoints, using bots that co-opted insecure IoT (Internet of Things) devices like IP-enabled cameras and smart-home devices. Those bots hijack IoT devices via malware and use the devices to blast the Dyn servers with bogus traffic, clogging the pipes.
DNS is like the phonebook of the Internet, routing URLs like www.securityinnovation.com to the correct servers. The DNS system is so central to our relationship to the Internet, we probably couldn't imagine the web without it. As a result, there are a lot of ways attackers have targeted DNS over the years.
Because so many companies were effected, the cost of the downtime is almost incalculable. This is due to a lack of diversity in hosting organizations – all these companies rely on the same "cloud" infrastructure (Dyn DNS servers in this case), and when that fails, it fails for everyone. By centralizing all of our infrastructure into the cloud run by only a handful of organizations, the more we've put ourselves at risk… and we're likely to see more large outages like this in the future.
Dyn provides a solution to help large Internet services operate at fast speeds and protect themselves against DDoS attacks; however, the capabilities of the attackers now exceed the capacity of those who provide protection. Ironically, Dyn advertises protection against DDoS as one of their services. While I realize that not every threat can be mitigated, as Dyn went through their threat model analysis, I'm not sure how they missed their single biggest threat, which is DDoS. In an interview on NECN/NBC Universal, I equate this to someone hosting Thanksgiving and not making enough turkey. You can run out of sweet potato pie or turnip, but to run out of turkey on Thanksgiving is simply not acceptable.
Progressive companies like Netflix plan for these types of attacks by not relying on a single infrastructure platform like Dyn. Rather, they build failover plans and operations centers for this very type of attack. Netflix also invented and uses Chaos Monkey, a tool/algorithm that randomly chooses production servers to fail at any given time. This way they can test how their redundancies work and react to various attacks.
The IoT aspect of this attack should not be understated. Many of us in the security industry have warned for years that the millions of IoT devices connected to the web are insecure – both older/existing devices and newly deployed ones. Even if all devices from this day forward were secure, there are still tens of millions of devices with poor security that will continue to plague us for years. The lack of security on these IoT devices has provided attackers with an on-demand army to use as part of the biggest DDoS attack the Internet has ever seen. Worse still – the technical skill level required to build and operate this army is within the grasp of teenagers.
Some are downplaying this attack, saying that only media companies were affected and it is nothing more than an inconvenience. The Internet is part of our critical infrastructure and we depend on it for commerce, communication, and core utilities. One might suggest we were lucky that this attack didn't take out more critical services and disrupt things more important than Friday movie night.
How Can We Better Address IoT Security Challenges?
In order to better address IoT security challanges, we need to work together to secure these devices:
- As consumers, push for better IoT security from our vendors
- As manufacturers, fix or patch insecure devices already deployed (acknowledge this could be costly in terms of time and money)
- As manufacturers part 2, build products with security in mind
- Threat model for disaster recovery and fail-over systems
- ISP's could do better at detecting and blocking attacks at the source before they hit their targets (some net neutrality implications here though)
- Collaborate and share information. When the Din Al Qassam attack was being executed, otherwise competing banks did a good job cooperating
- The dreaded government mandate, e.g., require any company producing internet-capable devices to comply with regulations similar to FCC UNII Device Security or PCI-DSS