If you’ve been on the internet in the past few weeks you’ve heard about the large scale cyberattack on DNS provider Dyn.
On October 21, major websites including Twitter, Amazon, Spotify, Reddit, PayPal, Airbnb, Wired, Pinterest, and more experienced outages. The common thread? Each of these sites used Dyn as their upstream DNS provider. A DNS provider is a company that allows you to go to a website. You type in the URL, and the DNS provider associated with that domain name translates it for your computer into the IP address that actually lets you travel to that site.
No DNS provider, no travel to the site the DNS provider serves.
That’s what happened to the sites you weren’t able to reach. A Distributed denial-of-services (DDoS) attack was carried out on Dyn, and because of that the DNS provider wasn’t able to handle the requests made by real users that wished to get to sites. A DDoS attack can occur in a few different ways – TechDecisions spoke with John Shier, Senior Security Expert at Sophos, for clarification.
“There are actually a few different types of DDoS attacks,” says Shier. “Volumetric, protocol based, and application based. There are some nuances between each one of them.”
- Volumetric – Sheer volume. Launch as much information, requests, etc. at a site as possible so that it is unable to process any other request.
- Protocol Based – Exploit a specific protocol. Figure out the specific way that a site is processing traffic and exploit it to disallow the site from processing that traffic.
- Application Based – An application level attack. You do something to the application level that it can’t handle in order to get the web server attack.
The DDoS attack on Dyn began at 11:10 UTC on October 21. At this point a volumetric DDoS attack was carried out on the DNS provider that sent an unreasonable amount of traffic toward the target, causing it to effectively run out of network resources.
What was unique about the DDoS attack on Dyn was that it was carried out using Internet of Things devices. A relatively new form of attack, Internet of Things presents is a particularly juicy opportunity for hackers. Any device connected to the web can potentially be utilized to carry out attacks.
This form of DDoS attack was thrust into the spotlight not long before the Dyn attack. Popular cyber security site, Krebs on Security, was hit with a record cyberattack flooding Krebs’ site with more than 620 gigabits of traffic per second. The attack was so strong that it caused cloud-hosting giant Akamai Technologies to dump the site from its network.
So how does a DDoS attack using Internet of Things work? In much the same way that a regular DDoS attack works, with a bit more creativity on the front end.
“The first step is reconnaissance work that needs to be done by the criminals behind this,” says Shier. “There’s ways of scanning the internet for anything that’s connected, such as the site Shodan. That’s where you find a lot of these IoT devices. Using one of these scanners, you can discover open network devices. You would then log onto those devices using common default passwords. Some of these devices have hardcoded passwords, and some have well known default passwords that people don’t bother changing. Not through negligence, just people don’t know they should do that.”
Finding the devices, accessing the devices, getting control of the devices, and using the devices to launch an attack – this all happens programmatically. The hacker will load code into the device that essentially turns it into a bot, creating what’s called a botnet, which then reports back to the hacker’s command and control center. Once that happens, the hacker can begin launching attacks using the different devices. Requests come from everywhere at once, from all of these different devices that the hacker is controlling through code.
For the Dyn attack, specifically, a Marai malware botnet was used to carry out the attack. The same botnet that was used on Krebs on Security. Hackers used devices like routers, webcams, security cameras, and DVRs in order to create the botnet and launch the DDoS attack. Over 100,000 devices were used in the Dyn attack, rendering the provider unable to process requests, and effectively locking down the sites that use Dyn services. The attacks came in traffic bursts 40 to 50 times normal flows, and lasted over 9 hours.
What’s so scary about Marai is that the code is available to the general public. The owner of the botnet published the source code online and now any hacker or group of hackers can utilize it to their advantage.
As of now it’s not known who carried out the attack, or for what purpose. According to CSO Online, cybersecurity legend John McAfee suspects that it is Bureau 121, a North Korean cyberwarfare agency. The Department of Homeland Security is currently investigating the attack to find the culprits.