Another week, another Denial of Service
A company called Dyn provides Domain Name Services to thousands of websites, including many famous brands such as Netflix, Twitter, Spotify, Reddit, CNN, PayPal and Pinterest. Like many people, I didn’t know this until a few days ago.
31 October 2016
Dyn, Inc have been in the press over the past week because they have suffered a Distributed Denial of Service (DDoS) attack, which rendered many of their customers’ websites useless. The websites themselves were not attacked directly but, put simply, their users' ability to connect to their sites was interfered with throughout the day because Dyn provide the service that helps browsers work out how to get to the website a user wants to visit.
Initial reports indicate that their services received unsolicited traffic from tens of millions of IP addresses, with many of them believed to be from the Internet of Things; in other words, our Smart Home devices such as fridges and central heating controllers! Because many of these devices connect to the internet and have been designed with little regard to security, they are rich pickings for groups looking to control them remotely. In this case, millions of them were used to send traffic to Dyn’s servers and exhaust their resources.
At this stage, we don’t know why someone chose to attack them. Financial gain, activism, cyber-vandalism? In my experience the businesses that lost their ability to trade on that day won't waste too much time debating why, and will be focusing on their options to stop it happening again. Prior to this incident the largest attack was attributed to over 150,000 devices; Octave Klaba, the founder and CTO of OVH, revealed that his company was hit with two simultaneous DDoS attacks whose combined bandwidth reached almost 1 Tbps. Alarmingly, this was less than a month previously, which means that the size of the botnets available to criminals looks to have grown from 150,000 to tens of millions in the space of a month.
Smart devices aren’t actually that smart. Many leave the factory with a default password that the end user doesn't get around to changing, and how many home users will ensure the devices are regularly patched against the steady flow of newly discovered security vulnerabilities? Much debate has been generated around these attacks and what the victims or their providers should or should not have done. My take on this is that is actually doesn’t matter how sophisticated (relatively speaking) or how basic this attack was; the attackers had access to millions of devices that cumulatively had enough bandwidth to render many defence methods ineffective. What I mean is that if someone can send more traffic to me than my internet connection can accept, my service is denied or at the very least massively degraded before any DDoS protection hosted my side is in play.
With attacks of this size becoming more regular, DDoS defences need to be upstream to ensure the traffic is scrubbed before it impacts the bandwidth of the intended target. It also needs to be able to cope with the thousands of other daily attacks that don’t make the headlines against other vectors such as the application layer.
For more information, please get in touch at firstname.lastname@example.org if you would like to discuss anything further.
Security Product Manager