A Tale of Two Sites: An Internet of Terrible Things

  • Security Lock


Around 8:00 p.m. on September 20th hackers who were upset about being outed by Brian Krebs, a well-known security and IT journalist, attacked his website with what was then the largest Distributed Denial of Service (DDoS) attack in history. The attack against krebsonsecurity.com was perpetrated using a previously hypothesized piece of malware that takes control of Internet of Things (IoT) devices and uses them to create a powerful bot net (a network of infected systems that will do whatever the controlling party tells it to). This bot net is created using simple vulnerabilities that exist on a large portion of the world’s IoT devices.

Shortly after the attack on Brian Krebs’ website it was reported that a well-known hacker who goes by the handle “Anna-senpai” released to the public the source code of the Mirai malware that had been used to perform these attacks. Immediately after the code was released leaders in information security began to say (and were correct) that the release of this code will lead to the escalation of these types of attacks. They were right; the bot-net has doubled and, as is evidenced by the recent attack on the DYN DNS service, very much still in use.

The release of the Marai source has allowed virtually anyone with a basic knowledge of DDoS (which can be easily found online) to perform massive attacks at scales previously unseen. There are certainly still many bot nets out there that are not run by Marai, but anyone who can get their hands on some Bitcoins can buy an attack using a plethora of available networks of systems infected with malware, making them zombies for the use of their attacker.

The Latest

Then on Friday, October 21st, a giant attack, bigger than has been seen before, was launched by what are believed to be a group of “amateur” hackers. This large scale attack was focused on a popular cloud-based DNS provider called DYN. DYN is known for providing a robust and dynamic DNS system and is used by a plethora of major internet companies.

When this DDoS attack was launched in the morning hours, DYN’s servers were hit with millions of packets per second coming from millions of different IP addresses. Meaning, there was no simple manner in which to separate the legitimate traffic from the bad. This meant that anyone, especially those on the East Coast of the United States, who tried to go to any site or service that used DYN for DNS was presented an error message or, if they were lucky, loading times reminiscent of the ‘90s dial-up days. You can read an informative analysis of the attack published by DYN here.

The internet was developed long ago with the ideal of ensuring that communications were reliable. At no point during the design of the routing and communication protocols we still use today was security even considered as an option, at least not until it was much too late. This oversight has led to a serious issue in the communications and information that our society is almost entirely dependent on. The fact that a group of amateurs with some free code and free time were able to have such a detrimental impact on something that is so crucial to the function of modern society is disturbing to say the least.

How to Protect All the Things

I wish I could tell you that there is an easy and cheap answer, and if we as an industry could agree to make some fundamental changes I could tell you that. However, the Internet by nature is an intentionally decentralized system, meaning that broad, consistent and sweeping changes are not its strong suit.

Instead, there are two major options for organizations concerned with these recent attacks. First, and least difficult to implement, is to hire a DDoS protection service. There are several well-known options in this arena. All of them typically work by absorbing extra and illegitimate traffic. These services are relatively costly, and the larger the attack the greater the cost of protection. The second method by which local configurations can help to mitigate these attacks is called a “black hole” in which perimeter devices are configured to identify and drop malicious traffic.

Both of these methods are helpful, but with the scale of the attacks we have been seeing there will have to be other solutions developed. One thing that every person can do is to make sure they don’t have any insecure or old IoT devices connected to the web. A vast portion of the devices that participate in these attacks are IoT devices such as cameras, routers, toasters, or almost anything else that can have an IP address.

November 1st, 2016|

About the Author:

John Nye
John Nye is Senior Director of Cybersecurity Research and Communication for CynergisTek and has spent the majority of the last decade working in Information Security, half that time working exclusively as a professional penetration tester. Besides testing and improving security, John has a passion for educating and informing the public. He accomplishes this by presenting hacking demos regularly at industry conferences and groups as well as writing blog posts for CynergisTek and industry publications.Nye’s specialties include Wireless, web, and system penetration testing, user education and public speaking, information assurance, security auditing, policy compliance and writing, and security research and analysis. Some of his industry certifications include CISSP, Licensed Penetration Tester (LPT) and Certified Ethical Hacker (CEH).