Playing out the fears everybody has on IoT security, on Friday the 21st October 2016 the Dyn company received a wave of DDoS attacks. Dyn handles “visibility and control into cloud and public Internet resources”. Due to its internet infrastructure role and the importance of its active operations, when Dyn’s services fell (repeatedly), various website outages ensued. Among the sites affected by the DDoS attack were PayPal, Twitter, Reddit, GitHub and Amazon. The websites that withstood the effects were from both the U.S and Europe.
The October DDoS attack, explained
DDoS stands for Distributed Denial of Service, the widespread relative of a mere DoS (Denial-of-Service cyber attack). The principle is the same, the origins differ. Distributed DoS attacks come from many geographically and topographically different points in a network. Attackers try to interrupt or suspend the services provided by their target.
In the Dyn case, the attack made sure the company’s servers got flooded with requests. There was no place for the regular users and the functionality completely stopped. The degree of distribution qualified as “high”, and the attack per se as “sophisticated”.
However, what was the role of connected webcams in all this? Malware such as Mirai (the one involved in the October attack) takes hold of the vulnerable IT systems and turns them into botnets. From there on the infected devices become subsidiary attack launchers for large-scale attacks.
Dyn DDoS attack – the company’s statement
On 22 October 2016 the company issued an explanatory statement. Its officials characterized the attack as “a sophisticated, highly distributed attack involving 10s of millions of IP addresses“. Dyn also provided an attack timeline. The incident started at approximately 7:00 am ET on Friday, October 21. By the time Dyn has restored service and mitigated the first wave of DDoS attacks, a second wave hit just before noon ET.
FlashPoint and Akamai supported the analysis operations. Subsequently, a network of devices infected by the Mirai botnet came out as being responsive for the massive event.
In an ironic twist, the same Dyn blog that published the above-mentioned statement previously approached the impact of IoT-based attacks on managed DNS operators. However, in view of the rising number of this type of attacks, it is only logical that all companies involved in targeted activities would preoccupy themselves with protection methods.
Dyn DDoS attack – preliminary conclusions
FlashPoint looked into the attack, and so did Akamai. DHS (the Department of Homeland Security) also announced similar operations.
The public and the media still have their eyes on the conclusions. We are all eager to find out who were the culprits. So far, FlashPoint thinks they are dealing with “the work of amateur hackers”. The words script kiddies circle the net. Apparently, a script kiddie targeted the PlayStation Network and employed Mirai in order to assemble an IoT botnet.
(Script kiddies designate inexperienced hackers whose exploits are rather accidental than sophisticated. Nevertheless, the final conclusion is still to come).
Even if it turns out the October cyber-attack was in fact the work of an accidental, less-experienced hacking group, the public will hardly see its fears appeased. If such an effect can happen even with less sophistication and without a bigger agenda, what are the IoT-related risks coming from more focused malicious entities?
Other suppositions appered. Trying to take the cyber-attack towards the cyber-warfare area, these hypothesis are for the moment on hold, pending the ongoing investigation.
Dyn DDoS attacks – analysis summary
Another statement from Dyn came on October 26. The “Analysis Summary Of Friday October 21 Attack” reiterates part of the initial elements. The company confirmed Mirai Botnet was the primary source of the attack traffic. They explained the inside mitigation efforts. Dyn also underlines its collaboration in the ongoing criminal investigation.
Trying to capture the bigger picture revealed by the attacks, Dyn pointed out how the vulnerabilities in the IoT cyber-security expressed themselves via this shocking incident. For the detailed version, the blog post in accessible here.
DDoS Dyn attacks – side effects
The responsible parties have not appeared yet. Although online sources explored more false tracks, being on the verge of creating political conflict when attributing the attacks to nation-state sponsored entities, the cause is yet unknown.
Meanwhile, the Chines manufacturer company that produced the IP-enabled cameras linked to the attacks announced it would recall millions of cameras. Although their statement, released immediately after the attacks, puts the blame on users mismanaging their passwords and software updates for the IoT devices, Hangzhou Xiongmai took action. They will recall “mainly one million cards used in network cameras, one million cloud network cameras, one million panoramic network cameras and 1.3 million network cameras”. All the devices sold before April 2015. In addition, the company announced its intentions to open a law action, due to the discrediting effect of the incident.
A new wave of concern related to IoT vulnerabilities fueled countless online articles in the wake of the Dyn DDoS attacks. The big question is “who did it”, and we are all looking forward for the answer to that.
