I woke up on Friday morning to the news of “someone broke the internet.” Thinking “what did Kim Kardashian’s butt do this time?” I ran to Twitter to see what was what. After hitting refresh a few times, I realized that the internet was actually broken. Well, at least part of it. Popular websites like Twitter, Reddit, Github, PayPal and many others were inaccessible, leaving users — mainly on the east coast — unable to access large portions of the internet.
So what caused the outage?
The root of the outage was a massive Distributed Denial of Service (DDoS) attack on Dyn’s Managed DNS infrastructure. Domain Name System (DNS) acts as the phonebook for the internet. It converts human-readable text, like workflowotg.com, into machine-readable IP addresses and provides additional information related to the domain name. In a statement released by the company the following day after the attack, Dyn noted that “while it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different.” In total, two of the three attacks on the network were successful in causing outages, although the company notes that at no point was there a network-wide outage.
While the perpetrator of the attack remains unknown, their methods may not. According to Dyn, the attack “was a sophisticated, highly distributed attack involving tens of millions of IP addresses.” The company said it was likely that most of the traffic came from devices infected by the Mirai malware, which targets IP addresses of Internet of Things (IoT) devices, then identifies vulnerable devices with factory default usernames and passwords. Once identified, the malware logs into the device before infecting it with malware. While the malware is deleted when a device is rebooted, attackers can easily access and infect the device again as long as users do not change the default credentials.
What did we learn?
Since the attack, many security experts have been placing most of the blame on XiongMai Technologies manufactured digital video recorders (DVR) and IP cameras, which are usually OEM-ed for use in other vendors’ products. In other words, the company has built an army of mercenary devices waiting to be recruited into the Mirai botnet. Making matters more frightening, the source code for the malware was recently released publically, enabling hackers across the globe to utilize it.
It also has some folks worried about the safety of the IoT. Simple steps, such as changing the device’s default credentials upon setup, can help prevent these attacks. But according to Brian Krebs, a security journalist and investigative reporter, completely unplugging these devices from the internet might be the only fix. “That’s because while many of these devices allow users to change the default username and passwords on a web-based administration panel that ships with products, those machines can still be reached via more obscure, less user-friendly communications devices called ‘Telnet’ and ‘SSH,’” wrote Krebs.
The attack also hits close to home for enterprises reliant on SaaS. According to InfoWorld’s Fahmida Y. Rashid, “beyond the big-name outages, organizations could not access important corporate applications or perform critical business operations.” For folks with critical systems hosted in the cloud, operations could grind to a halt. The attack illuminates a glaring flaw in cloud-based solutions: even with flawless cyber security, you are still vulnerable to the consequences of an attack.
“It’s very likely attackers are going to use this tactic again in another assault one day,” wrote Rashid. The possibility of another attack can be enough to sway the opinion on the cloud. And with the source code floating around the internet, it’s likely we will see copycats and new iterations of the malware. Ultimately, are future outages caused by factors outside of your control worth the risk of hosting your critical systems in the cloud? Only time will tell.