On Oct 21st, a good chunk of internet was down after a massive Distributed Denial of Service (DDoS) attack was launched against the DNS host ‘Dyn, Inc.’ Many websites such as Twitter, Etsy, Github, Soundcloud, Spotify, Heroku, Pagerduty, Shopify, Intercom, etc., were down.
The first wave of attack started at around 7 AM EST and went on for about two hours. A second wave hit around noon and a third at 4 pm EST. The attacks upset movement to Dyn’s web registry servers, at first affecting most part of the East Coast and later spread on toward the Western Seaboard. Dyn servers were overwhelmed with malignant requests from a large number of IP locations, bringing the framework to a screeching halt. It was an “extremely refined and complex assault,” says the New Hampshire-based organization. The attacks were also reflected on an alleviated scale in Asia.
What is DNS and how does it work?
The Domain Name System (DNS) changes over comprehensible URLs to their hidden numeric IP addresses. DNS servers change over these space names of sites into PC digits or IP addresses, as www.twitter.com will become -126.96.36.199, the twitter DNS. With a major DNS organization like Dyn under assault, the framework does not work to make an interpretation of IP locations for the space names like www.twitter.com or www.netflix.com. Basically, without DNS query to unravel those series of numbers the web does not work. There are 13 root DNS servers. On the off chance that all were attacked, it could possibly knock down the entire Internet.
Why Dyn, Inc.?
Dyn is the Major DNS provider in the industry. These attacks were targeted on Dyn which hosts DNS for many popular sites. While the attacks did not influence the sites themselves, it blocked or restricted users attempting to access those domains. The DNS is an exceedingly conveyed framework that is all-inclusive and accessible through a system of root, legitimate and recursive name servers.
‘Kyle York’, Chief Strategy Officer at the Dyn, explained that ‘the attacks were highly sophisticated and involved a use of tens of millions of IP addresses. He also expressed that significant traffic for attacks may have also involved Mirai botnet.
What is Mirai botnet?
The Mirai botnet is an accumulation of infected Internet of things (IoT) gadgets, including digital video recorders (DVRs), surveillance cameras, and other internet-enabled embedded devices and even routers that were behind this biggest DDoS assault ever openly reported. Mirai botnet in past has been involved in even 1T-bps attacks against web access supplier, OVH, and in addition a 665G-bps attack against security blogger ‘Brian Krebs’.
So, how does this work? Just imagine, if millions of infected PCs and internet-enable devices contracted this malware; initially the malware stays dormant, however, once enough devices have been infected the botnet controller triggers a synchronized attack toward a single or multiple website or servers, with millions of these bot PCs and gadgets constantly requesting and sending excessive pings with the sole intention of overwhelming the system and causing it to shut down for self preservation, and in the process, making a genuine user, such as ourselves, unable to access the websites.
The source code for the malware was posted on the English-dialect hacking group, Hackforums. The malware, Mirai, spreads to gadgets by ceaselessly examining the Internet for IoT frameworks ensured by manufacturer’s default or hard-coded usernames and passwords. Defenseless gadgets are then seeded with pernicious programming that transforms them into “bots,” driving them to answer to a focal control server that can be utilized in conducting significant DDoS attacks on the intended targets.
Experts have since cautioned that numerous Internet of Things gadgets are ineffectively secured worldwide. Many Chinese electronic manufacturers’ offer OEM white-mark circuit sheets and programming scripts for cameras, alongside DVRs and system video recorders. A large number of these sorts of IoT gadgets were infiltrated by the Mirai malware, which abuses default certifications in the gear and corrals them into botnets utilized and sold for DDoS assaults. Hangzhou Xiongmai Technology Co. LTD has even decided to recall its millions of sold cameras from the U.S. in the wake of last weeks’ attacks.
The source code that powered the “Internet of things” (IoT) botnet to mount a huge DDoS attack against Krebs On Security a month ago has been openly discharged. These attacks raised a serious concern that the Internet will soon overflow with assaults from numerous new botnets controlled by unreliable switches, IP cameras, advanced video recorders and other effectively “hackable” (hackable is not a dictionary defined word; hence, the italics and quotations) gadgets. One of the most feared new malware is Linux/IRCTelnet also considered a successor to Mirai; we await its wrath, as this newly discovered malware creates a fresh IoT botnet.
How big is IOT botnet?
There is a growing market for infected Internet of Things (IoT) gadgets on sale. RSA Security LLC, a network security company, found that in the beginning of October, hacktivists and malicious programmers were promoting access to an immense IoT botnet on an underground criminal discussion forum; however, RSA declined to say which one. The dealer asserted they could produce 1 terabit speed attack for every second. For $4,600, anybody could purchase 50,000 bots (hacked PCs and IoT Gadgets under the control of the malware), and 100,000 for a cost $7,500. Together, these bots can mount a consolidated attack on a server, overpowering its focuses with requested information, making the entire system shut down. In other words, the DDoS attack was on sale.
‘Gartner, Inc.’, an analyst firm, predicts the following for the future:
- Global spending on security for IoT will reach $348 million this year, a 23.7 percent accretion (good choice of words) from 2015
- By, 2020, more than 25 percent of attacks in will use IoT, even though IoT will be less than 10 percent of total IT security budgets.
- Security vendors, an expectation more than prediction, to be precise when trying to provide usable IoT security features due to such a limited budget
Now, the question is, ‘’is this the ‘new normal’?’’ Since the coverage of IOT gadgets are expanding, such attacks can be taking place more frequently than ever. What can be the solution to such attacks and what can we expect from the future attacks? The potential collateral impact of DDoS attacks launched by the Mirai botnet can be huge, considering the target selection and effectiveness of a given attack; outbound and cross-bound DDoS attacks launched by Mirai botnet can cause significant network issues or outages worldwide.
How can we protect our systems from such attacks?
We can mitigate the impact of such attacks by deploying strategic countermeasures and using DNS Best Practices (BCPs), choose a network operator that utilizes public facing, secure network infrastructure to host applications and services. The network operators should have updated systems to detect anomalies, and process real-time analysis on traffic with the ability to detect, classify, and trace back DDoS attack origins. DDoS mitigation mechanisms should also be in place for e.g., source-based remotely-triggered blackholes, flowspec, and intelligent DDoS mitigation systems [IDMSes], etc can be utilized to mitigate a DDoS attack. However, it’s a race towards technological advancements, as new and unimaginable threats keep popping, it is up to the business to constantly develop and update their systems.
This is a cyber arms race with no apparent end in sight…