On Friday morning (21st October 2016) you may have had trouble accessing your usual websites such as Twitter, Spotify or Reddit In fact, large swathes of the internet were screwed up thanks to a large distributed denial of service (DDoS) attack against Dyn, one of the worlds largest DNS hosts. This was no ordinary attack. It was unprecedented not only in terms of its size but also in how the attack was carried out. In this post I'm going to tell you what DDoS is and how it succeeded in in taking down some of the worlds most popular websites in a flash. Ready? Then sit comfortably, grab a cup of coffee and I'll begin.
What is DDoS?
DDoS can be summed up in one word and that is the word DENIAL. In other words attackers want to deny users any sort of access to the online websites and services that they love. So it is an attempt to make an online service unavailable and they do that by overwhelming the website with internet traffic from multiple different sources. Websites such as Twitter, Reddit and Bonkers About Tech live on computers called servers and their job is to dish up information when you request it via your favourite web browser. Servers can serve thousands or millions of people all at the same time but there is a limit to how many requests they can process. Attackers take advantage of this by infecting huge numbers of computers with Trojan viruses which instruct the computers to become involved in a cyber attack, essentially becoming zombified, even without their owners knowledge.
These zombie computers and devices can overwhelm a server by creating more connections to it than it can handle or by bombarding it with useless data, keeping the server occupied. Ordinary users visiting the website will see that it takes a long time to load or that the website refuses to load at all. There are many reasons why attackers carry out such attacks such as they may want to knock off their competitors in online gaming or they may want to protest against a particular company or organisation. They may even use it as a smoke screen to carry out further attacks against a website.
How does it work?
So the first thing the attackers do is recruit an ARMY of bots or zombie devices which become part of a Botnet. In order to turn a random computer into a bot, you need to install some malicious software onto it known as Malware. The attackers spread this malware onto as many vulnerable computers as possible through compromised websites, email attachments or through an organisations network. Any users tricked into running malware on their computers will have their computer zombified and turned into a bot, without even realising. Once the computer becomes a bot, it begins to communicate with and accept orders from the attackers central server which acts like a command and control for the botnet. The botnet itself usually consists of thousands of bots, all awaiting instructions from command and control. If the attacker wishes to launch an attack, the command and control issues instructions to every bot within the botnet . These instructions contain the URL of the target website and also the HTTP protocol to be used in the attack, i.e. whether its a GET, PUT, POST or DELETE. Each bot within the botnet then repeatedly tries to the access the target website all at the same time in a coordinated, well-timed, distributed attack.
How did the DDoS attack take out many websites at once?
On Friday, the attack itself was directed to a DNS host. A DNS server is basically the internet's phone book and translates human readable URLs (such as http://www.bonkersabouttech.com) into computer readable IP addresses (such as 192.168.2.4) and ensures that you end up on the correct website whilst browsing. If you were to take down the DNS that powers websites such as Twitter, then you're not going to be able to logon.
What made the attack so unprecedented was the fact that the botnet was made up of "internet of things" (IoT) devices such as Smart TVs, DVRs and IP cameras. Dyn have since confirmed that the infected IoT devices in the botnet had the open source "Mirai" malware installed on them. Open source in this case is a bad thing as it allows anyone to build their own army of bots made up of IoT devices.
Because of the shear number of IoT unsecured devices out there, it gave the attackers an incredible amount of DDoS power, enough to take down major pieces of internet infrastructure.
So what can I do about it?
The problem with IoT devices is that they're not very well protected, unlike PCs and smartphones. Its difficult to install antivirus and firewalls onto these devices to protect them due to their limitations in their computing power and storage. They also use stripped-down versions of well known operating systems such as Linux. Also, IoT devices tend to get forgotten about once they're setup and its difficult to access them due to their limited user interfaces. Manufacturers are also to blame due to time constraints and deadlines around time to market and/or the cost of the hardware according to SC Magazine. So what can we do about it? Well basic security principles still apply and being aware of the fact that your devices can be used in these massive attacks.. Changing default passwords, updating regularly and turning off unwanted features will go a long way towards fending off some off some of the most basic brute force style attacks. Above all though, the manufacturers need to plug all the holes in the software installed on these devices to stop some of the more sophisticated attacks. If the attackers find just one hole, the device is potentially owned. Its therefore a collaborative effort that is needed between consumers, manufacturers and IT professionals to stop the threat.
So to sum up, IoT devices are now being used to create massive DDoS attacks. My fear is that this is only going to get worse and this is probably just a taster of what is to come. IoT devices are proving very popular with hackers due to their low levels of protection and the fact that they can make money out of selling botnets or threatening firms with monstrous attacks. So do your bit, change your default passwords, disable stuff on the device that you don't need and keep your devices regularly up to date. Another thing you can do is to check out Shodan, its a search engine which will tell you which of your devices are connected to the internet and who might be using them :(
Did you have any issues accessing your favourite websites on Friday? Let me know in the comments below.