Yesterday’s (October 21) internet outages and slowdowns were a frustration for many, and possibly a sign of worse things to come. In case you didn’t notice, Twitter, Reddit, Spotify, and the Playstation Network were down, and quite a bit of other internet traffic was significantly slowed. Why did it happen, and what can be done to prevent similar or more severe events in the future? I’m glad you asked. And if you didn’t, I’ll pretend you did anyway. Note: This article is more designed for a lay-audience. If you want something a bit more in-depth, this article from Flashpoint and Level 3 Threat Research labs might be up your alley.
Let’s start off with what happened. While investigations are still ongoing, we know it was a distributed denial-of-service (DDoS) attack. While gamers have been frustrated by DDoS attacks against Microsoft and Sony, as well as the servers of other major game companies, this particular attack was against Dyn, “a cloud-based Internet Performance Management (IPM) company…Dyn’s platform monitors, controls and optimizes applications and infrastructure … ensuring traffic gets delivered faster, safer, and more reliably than ever.” Short version, they help make sure the internet is speedy and efficient…which it certainly wasn’t yesterday.
If this isn’t making clear sense to some of you, imagine, for a moment, you work at a company that has 20 incoming phone lines. Now let’s imagine that some jerk out there starts prank calling your company, asking things like “Is your refrigerator running? Well, you better go catch it!” Yeah, that would be obnoxious, but it wouldn’t disrupt your overall business that much. If it was bad enough, you could probably even block his phone number. But let’s imagine he now has 10 different phones from 10 different phone numbers, all calling at once. That might make it a little harder for your customers to reach your company efficiently. Then imagine he has 100 different phones, from 100 different numbers all calling simultaneously. How are your customers supposed to get through now?
Now, translate that from phone calls to internet requests. And change the number of devices from 100 to tens of thousands, hundreds of thousands, or perhaps, in the not-too-distant future, millions. DDoS attacks aren’t the work of brilliant hackers, they are a blunt object, which can still be remarkably effective and disrupting services.
Here’s a quick note from Krebs On Security: “At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai…At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.”
Okay, to explain a bit more clearly what’s going on. Ever heard of a bot-net, but didn’t want to look silly asking what it was? Basically, there are people out there controlling thousands upon thousands of internet accessible devices, and siccing them on random targets. What are these devices? Well, the obvious answer would be computers. You might pick up some malware on your computer that lets someone else use a bit of your processing power and internet bandwidth to do some no-good deeds, without you even realizing what’s going on. But it goes beyond that, and it’s much easier than you might think.
Have you ever had to log into your router (or had to have someone do it for you)? Notice how, often, the username and password are generically set to admin and password? Yeah, that’s not a good thing. Did you ever change those? Yeah, you need to do that. What’s compounding the problem beyond computers and routers now is the Internet of Things (IoT). What is that, you might ask? Well, more and more of our possessions now have some sort of access to the internet, such as phones, watches, and even common appliances.
Again, from Krebs On Security: “Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.” UPDATE (10/25): XiongMai is now recalling all of their cameras, yet not acknowledging responsibility.
The short version, again, is that your DVR and other devices might have been on the rampage yesterday. Further, one Chinese manufacturer (likely many others as well) is making insecure components that many other manufacturers then use, which are purchased by American and international consumers who don’t know how, or don’t care enough to change the login and password. That means that very soon, if we don’t do something serious about it, those DDoS attacks which have hitherto been a general intermittent annoyance could theoretically bring the internet, and everyone who relies on it, to their knees.
So where do we go from here? Sure, you could write to your congressperson, but they probably have no clue what’s going on. You and I can’t realistically do much to change the manufacturing process. We have little say in what companies do, and how much they care about what happens down the line.
What you and I can do, and realistically must do, is three-fold. First, before we buy anything that can connect to the internet, we should research whether or not you can change the login info and connectivity options. Sadly, not all devices give you enough, or even any control. For those devices we already have, or buy in the future? Start taking responsibility for our devices, in more or less the same way we take responsibility for our children. You wouldn’t let your kids go out and vandalize property, throw bricks from overpasses, or otherwise make of themselves a public nuisance. So don’t let your tech do it either. Don’t allow internet access to any device that doesn’t need it, and turn off features you’re not using. If you are connecting a device to the internet, change your login info on those devices as soon as possible. Just do it. And, if you want a bit more on what you can do, here’s a really good place to continue.