Why did the internet go down in October?
by Ken May
Last month, a malicious person or group took down numerous popular websites in a massive distributed denial-of-service (DDoS) attack against the domain name service provider Dyn. DDoS attacks are neither new nor very sophisticated. To do this, the attacker sends a massive amount of traffic, causing the victim’s system to slow to a crawl and eventually crash. There are some variants on this method, but basically, it’s a datapipe-size battle between attacker and victim. If the defender has a larger capacity to receive and process data, he or she will win. If the attacker can throw more data than the victim can process, he or she will win.
The attacker can build a giant data cannon, but that is prohibitively expensive. It is much smarter to recruit millions of innocent computers on the internet. This is the “distributed” part of the DDoS attack, and pretty much how it’s worked for decades. Cybercriminals infect innocent computers around the internet and recruit them into a botnet. They then target that botnet against a single victim.
You can imagine how it might work in the real world. If I can trick tens of thousands of others to order pizzas to be delivered to your house at the same time, I can clog up your street and prevent any legitimate traffic from getting through. If I can trick many millions, I might be able to crush your house from the weight. That’s a DDoS attack — it’s simple brute force.
The Dyn attacks were probably not originated by a government. The perpetrators were most likely hackers mad at Dyn for helping Security Researcher Brian Krebs identify — and the FBI arrest — two Israeli hackers who were running a DDoS-for-hire ring. Recently, there has been some evidence about probing DDoS attacks against internet infrastructure companies that appear to be perpetrated by nation-states. But, honestly, we don’t know for sure.
The botnets attacking Dyn and Brian Krebs consisted largely of unsecure Internet of Things (IoT) devices — webcams, digital video recorders, routers and so on. This isn’t new, either. We’ve already seen internet-enabled refrigerators and TVs used in DDoS botnets. But again, the scale is bigger now. In 2014, the news was hundreds of thousands of IoT devices — the Dyn attack used millions. Analysts expect the IoT to increase the number of things on the internet by a factor of 10 or more. Expect these attacks to similarly increase. That leaves the victims to pay. This is where we are in much of computer security. Because the hardware, software and networks we use are so unsecure, we have to pay an entire industry to provide after-the-fact security.
Reference: SecurityIntelligence, accessed 11/01/2016