Last week the internet was out in a couple of places. Hopefully that’s a bit of a wake up call.
The cause wasn’t immediately clear, leaving large swaths of the U.S. population without access to popular sites like Amazon, Reddit, Twitter, Soundcloud, Netflix, and Spotify. In some ways this was just the most public type of attack that plays out daily across the internet. It’s also a sort of harbinger for what’s to come. Either way, here’s the facts and figures you need to know about this attack.
So what kind of attack was this? What happened?
Last Friday saw the internet experience a distributed denial of service, or DDoS, attack. Basically internet ne’er do wells bombard a system or network with a bunch of junk traffic and overwhelming them until they’re knocked offline. The same way when Beyonce posts a link to something and so many of her fans click on it that the servers crash, only this time it’s being done by hackers with specific intentions to degrade or interrupt the service of a site.
So how were they able to take out some of the top sites on the internet? Aren’t they built for major traffic?
That’s true! Netflix alone can account for 37 percent of North American internet traffic. We really like “BoJack Horseman” over here.
The key link here is Dyn, a major DNS provider. They’re the folks who operate as a link between the URL typed into your browser and the corresponding IP addresses. By attacking Dyn instead of any one website, hackers were able to overwhelm the directory function and cause the loading and access problems across major chunks of the internet.
The DDoS attacks on Dyn began Friday morning, and though service seemed to be restored by 9:30 EST that morning, a second and third wave hit at noon and 4:30 PM, respectively. Though the attack was initially focused on the company’s data centers on the East U.S. Coast, later in the day it moved on to international data centers.
“The complexity of the attacks is making it complicated for us. It’s so distributed, coming from tens of millions of source IP addresses around the world. What they’re doing is moving around the world with each attack,” Dyn’s chief strategy officer Kyle York explained to reporters on Friday. “It’s a very smart attack. As we mitigate, they react.”
Can I trust Dyn?
Sure! Right now they’re working with law enforcement and Homeland Security to investigate the attacks. It’s hard for them to say if it came from any specific nefarious group or country, since they were seeing traffic from tens of millions of discrete IP addresses around the globe.
If you look at DownDetector’s outage map you’ll see that many companies—The New York Times, Boston Globe, Vox, Airbnb, Github, and more, in addition to the ones listed above—had their service impacted around the world (though mainly in the US and parts of Europe). So far none of them have claimed that Dyn did any wrongdoing, or tried to pull out of their agreeement with them.
Well ok. So now the internet’s all fixed, back to normal, right?
Sadly, no. Though attacks like this tend to happen on a smaller scale all around the internet all the time, Friday’s DDoS is more like the sort of cyberterrorism we’re likely to see in coming years. The attacks will be bigger, on more high-profile targets, and possibly even more common. DDoS attacks like this are sometimes accompanied by extorition letters demanding some sort of cyber currency in exchange for stopping an attack (although in this case Dyn did not report any such letters). In the future this may be the new normal, not the exception.
Wait but how? I thought everyone was all about encryption these days?
Yeah, about that. Encryption is becoming more of a hot topic specifically because we’re at the weird tipping point of it all: It’s big enough that law enforcement is starting to take notice, and it’s big enough because there’s finally technology that allows for end-to-end encryption on many of our day to day apps (Messenger, texting, phone calls, emails, etc.) as well as equipment.
Problem is, not everything we’re using is getting encrypted properly—or even at all. You’ve heard about how holes in driverless cars and toys can allow hackers to gain access? Well, that’s exactly what we’re looking at here.
Friday’s DDoS was caused by a malware known as Mirai, which specifically targets Internet of Things (IoT) devices like webcams, DVRs, refrigerators, printers, cars—you get the picture. Basically any “smart” appliance you have that’s linked to the internet? Part of the internet of things. And also, an access point for hackers.
Perhaps most unfortunately, it was really just a matter of time before someone abused these devices and their loopholes on a grand scale.
“Cyber vulnerabilities of IoT devices are nothing new. Simply rewind to the FTC’s 2014 enforcement action against TRENDnet, which marketed its internet-connected SecurView cameras for everything from home security to baby monitoring. Only problem – the cameras’ software allowed online viewing by anyone with a camera’s IP address,” wrote Peter Sloan on Information Bytes.
“This time the DDoS sources reportedly included large numbers of hacked Internet-connected devices, including video cameras and digital video recorders…Basically, it appears in the reporting that Internet of Things (IoT) consumer devices with factory-default usernames and weak passwords were likely hacked on a huge scale and enlisted in Friday’s attacks.”
As Tech Crunch reports, this attack itself follows pretty shortly after one of the largest DDoS strikes in history:
Mirai botnet to target the website of independent cybersecurity journalist Brian Krebs. Although DDoS attacks have historically used large networks of compromised computers called botnets to send junk traffic to sites, overwhelming them and making them inaccessible to legitimate users, the Krebs attack expanded in scale by using compromised Internet of Things devices like security cameras to build a botnet. IoT devices are cheaply manufactured and notoriously insecure, making them easy to compromise.
After the attack on Krebs’ website, the code used to build the botnet leaked online, making more massive DDoS attacks all but inevitable.
“There are 3.4 billion internet users globally and 10 to 15 billion IoT devices. It’s a complex world. All we can do is lock arms together and see how we can rectify this,” York said.
Yikes, that’s not good. Well what do I do?
Like anywhere on the internet, be careful. When you have an IoT device, don’t take its place in your household lightly. One of the IoT cameras that was (at least partially) to blame for Friday’s massive outage will be recalling some of its products in the US. But they’re far from the only device with outdated security mandates.
Americans are on the whole fairly skeptical of the IoT security state, but still a third of them are using default login and passwords. And there don’t need to be all that many. 100 systems interacting with each other makes for about 5,000 interactions and potential vulnerabilities. 300 systems means 45,000; 1,000 gets to about 12.5 million. Make sure you’re paying attention to all points of access you’re leaving open: Sure there’s a password on your wifi, and you make sure your computer has the latest security set-up, but what about that wireless printer? That bring your own device policy at work? Your kitchen appliances?
People harp on the idea of “smart fridges” being a danger, not just because people take for granted that an appliance will be their security downfall, but because appliances are notoriously infrequently replaced. Even if that fridge has the most up to date security software is up to snuff when you get it (which is not as likely as you’d think) by the time you’re replacing it five, ten, fifteen years down the road it could’ve already wrecked havoc on your digital infrastructure. Checking in every blue moon isn’t an option with cybersecurity. It’s a lifelong commitment.
The Internet of Things is likely here to stay. Hopefully as it moves forward users and creators will be more aware that if you buy it, you may break the internet.