ninog - Fotolia
A major distributed denial of service (DDoS) attack that took place on 21 October 2016 and targeted Dyn, a US-based domain name system (DNS) services provider, has drawn attention to the vulnerability of the world’s internet infrastructure to attack, along with the vulnerability of millions of internet of things (IoT) devices.
To date, the 21 October event was the largest DDoS attack to use the Mirai IoT malware code, which was released on an underground forum at the beginning of the month and takes advantage of the generally lax security of IoT devices to compromise those that still use factory default or static usernames and passwords.
So far, Mirai is thought to have been used in a DDoS attack on the website of security expert Brian Krebs, and on French hosting forum OVH, which peaked at over 1Tbps, and may have involved more than 150,000 IoT devices.
The attack on Dyn caused problems for a number of web services and media outlets, including, but not limited to, Airbnb, Amazon Web Services, Boston.com, Box, FreshBooks, GitHub, GoodData, Heroku, Netflix, The New York Times, PayPal, Reddit, Shopify, Spotify, Twitter, Vox and Zendesk.
An attack on the DNS directory system that resolves domain names into numerical IP addresses is a source of concern given it is a fundamental part of the internet’s inner workings. It highlighted just how vulnerable the internet really is, said Thomas Fischer, threat researcher and global security advocate at Digital Guardian.
“It places more onus on the internet infrastructure providers to ensure their security is top of the field, and that they plan for large-scale disaster recovery scenarios,” said Fischer.
Chase Cunningham, networks director of cyber operations at A10 Networks, said: “It was an interesting point to see the bad guys are moving upstream for DDoS attacks on the DNS providers, instead of just against sites or applications.”
DNS security overlooked
Mohit Lad, CEO and co-founder at network intelligence company ThousandEyes, said DNS was too often an overlooked aspect of the internet experience, because if it is unavailable, people simply cannot access the sites or services they need.
It also indicated a troubling trend among service owners to abrogate responsibility for security to third-party providers such as Dyn.
“Any company running its own website may well have its own technology in place to mitigate DDoS attacks, but it’s all for nought if the DNS provider itself is not applying a sufficient enough level of protection to its own servers and datacentres,” said Comparitech.com security researcher Lee Munson.
“Most companies use third-party DNS providers to benefit from the performance and availability of the global infrastructure they usually can’t afford to build themselves. The trade-off is when there is an issue with the DNS provider,” said Lad.
“This highlights the need for companies to work with multiple DNS providers as a best practice to alleviate potential single point of failure issues such as this,” he added.
Read more about IoT security
- The EC is planning a security certification scheme for internet of things devices, as the UK Cabinet bans smartwatches amid heightened fears of cyber espionage.
- A security researcher who has exposed a series of vulnerabilities in IoT devices says he is concerned about systemic attacks that could take down parts of the internet or national power grids.
- Compromised IoT devices have impacted company brand image, customer loyalty and, ultimately, business value. Learn the key points of IoT security.
Richard Meeus, European vice-president of technology at network security provider Nsfocus, echoed this sentiment.
“This attack highlights how critical DNS is to maintaining a stable and secure internet presence, and that the DDoS mitigation processes businesses have in place are just as relevant to their DNS service as it is to the web servers and datacentres,” he said.
David Gibson, Varonis vice-president of strategy and market development, said DNS had, unfortunately, never been built with security in mind, and that this meant more radical action may be needed to address its flaws.
“DNS is one of the ageing technologies the industry is struggling to update, along with one-factor authentication and unencrypted web connections. The list is very long, and the stakes have never been higher,” he said.
IoT blamed again
The attractiveness of the internet of things – which already comprises many millions of devices and will soon comprise billions – to cyber criminals, has been a source of concern among the security community ever since the IoT began to be further rolled out over the past 12 to 18 months.
Many, including experts such as previous Mirai victim Brian Krebs and Bruce Schneier, had suggested large-scale security events involving the IoT were inevitable. The scale of the Dyn DDoS attack will inevitably put this issue front and centre.
“Threat actors are leveraging unsecure IoT devices to launch some of history’s largest DDoS attacks,” said A10's Cunningham. “The immediate solution is for manufacturers to eliminate the use of default or easy passwords to access and manage smart or connected devices.
“Consumer adoption will be tricky, but this change is critical for the greater security of all. This will hinder many of the global botnets created and deployed for malicious use.”
Simon Moffatt, senior product manager at ForgeRock, a provider of access management software, said he hoped the speed and scale of the Dyn attack would refocus attention on the identity and security aspects of massive IoT device deployments.
“The devices themselves need a baseline set of security principles – no hard-coded usernames or passwords, transport layer security where possible, the ability to update firmware and with any computer deployment, and disabling all non-necessary services and ports,” said Moffatt.
“With respect to manually accessing the device, default passwords should be changeable upon initial use, with all root or high-level administration accounts disabled.”
Chase Cunningham, Cyber Operations
Chris Sullivan, general manager of intelligence and analytics at Core Security, said companies needed to move immediately to get to grips with large IoT botnets, especially as many of the same devices had access to sensitive enterprise and government networks, and not just consumer services.
“They can be used to launch attacks on those networks from the inside where all of the next-generation firewalls, intrusion prevention and user-based analytics tools won’t even see them,” said Sullivan.
“What is required now is the deployment of systems that don’t try to control the IoT devices, but rather watch and learn how they behave so we can identify malicious activity and isolate them when necessary.”
More to come
Since immediate action to secure the IoT is virtually impossible to mandate on a worldwide basis, it looks likely that larger and more damaging DDoS attacks involving Mirai, or other forms of IoT botnets, will be inevitable.
“The really frightening part of this is not that we will be struggling with these new attacks for some time, but that the underlying weakness which makes them successful can and will be used to unleash more serious attacks that steal credit cards and weapons designs, manipulate processes like the Swift global funds transfers, and even destroy physical things,” said Sullivan at Core Security.
Wieland Alge, vice-president and general manager of Europe, the Middle East and Africa at Barracuda Networks, added: “When it comes to the exploitation of IoT devices, the attack on Dyn is the thin end of a very long wedge.
“Among security experts, it’s widely believed that IoT botnet harvesting has been happening for some time. As cyber criminals look for new and sophisticated ways to monetise their crime, it is inevitable there will be more attacks like this to come.”