The “new normal” of that massive attack, and other takeaways.
On Friday morning, Netflix, Twitter, Spotify, Reddit, SoundCloud and other major sites went down, some for several hours. It turns out that all of them had a common service provider — Dyn — which plays a critical role in their services working properly on a 24/7 basis. Dyn’s own service was disrupted by a massive distributed denial of service (DDoS) attack, resulting in their customers’ websites becoming unreachable by millions of users around the world.
Is there a fundamental problem with the internet?
Despite the appearance of fragility created by public outages such as Dyn’s, the internet was designed to be very difficult for an attacker to take down, and is resilient in the long run to even the largest-scale DDoS attacks.
That said, in the short-term, successful DDoS attacks can create painful outages which, if timed to coincide with important events, could have disastrous consequences. The impact of knocking out public communications infrastructure, or preventing access to data, or funds, can be significant. And the bad PR associated with an outage certainly affects the public perception of a company, especially technology companies operating online services. As a result, DDoS is a serious concern for most companies and the increasing scale and sophistication of DDoS attacks is putting even more attention on this threat.
The “new normal” of massive scale DDoS
Dyn’s service disruption was yet another demonstration of how attacks on various critical points on the Internet can impact millions of users, and how vulnerable those points may currently be. In this case, DNS (the “domain name system”) isn’t something that most users think about, but the entire internet depends on it. DNS translates human-readable names, like “twitter.com,” into machine-readable names, like “220.127.116.11.” That number, called an IP address, is what actually connects your computer to Twitter. The DNS services provided by Dyn to sites like Twitter were targeted by a DDoS attack, preventing users from being able to reach the websites of Dyn’s customers.
DDoS attacks have been around for many years, but they’ve gotten a lot worse recently. A big driver is the growth of the Internet of Things (IoT). In simple terms, there are now billions of Internet-connected devices that attackers can hijack and organize into botnets. Today’s IoT devices (such as security cameras and routers) — are effectively computers, except with a lot less security in many cases. That makes the attacker’s job of building botnets easier than ever.
Last month, the source code for a botnet system called Mirai was released. Mirai is a framework which focuses on compromising insecure IoT devices, and simplifies attackers’ jobs by combining the control of those devices into the same system. It was responsible for the successful DDoS attack on the security website KrebsOnSecurity, which was the largest DDoS ever recorded at that time.
Dyn confirmed that the attacks came from tens of millions of IP addresses and utilized Mirai botnets. On Monday, Chinese electronics firm Hangzhou Xiongmai Technology announced that it would recall its webcam products, which were specifically targeted by Mirai. This is helpful in limiting the scale of Mirai, but it does not solve the greater IoT botnet problem, as many device vendors put security on the back burner when creating new products, and other devices are still vulnerable to similar schemes.
The recent Mirai attacks are notable for their sheer volume but standard DDoS security defenses can be scaled up in response to stop them after an outage, as Dyn subsequently demonstrated. One of the takeaways from the Dyn attack is that current DDoS defenses need to proactively size and prepare themselves for the “new normal” scale of DDoS, to help avoid outages.
Advanced automation: The next generation of attacks is already here
But aside from DDoS volumes increasing, there are more advanced DDoS attacks looming on the horizon, and indeed, already in practice. We have started to see more sophisticated application DDoS techniques, which used advanced automation tools to randomize not only their IP addresses using botnets, but fabricate other transaction characteristics, as well. This helps attackers avoid creating the patterns that DDoS solutions look for to distinguish an attack transaction from a legitimate one.
In particular, attackers are now taking down websites by targeting applications, such as search forms, with customized requests each time, instead of just hammering a site with the same request over and over from many machines. Application-specific DDoS attacks are far more efficient for cybercriminals because they bypass defenses (like content delivery networks) designed to absorb that traffic and require far fewer machines or devices in the attacker’s botnet to bring down an application. This is the next frontier of DDoS that most companies are actually not prepared for today.
The underground market for DDoS-as-a-service is also proliferating, following the general trend of cybercriminals specializing to focus on what each group does best. A large-scale, public DDoS demonstrates the strength of an attacker’s botnet, which allows them to sell their services to other cybercriminals more readily. There are thousands of posts from DDoS “providers” which offer to attack sites starting from just a few dollars. While the motivation for the attack on Dyn has not yet been publicly identified, the strength of the attacker’s botnet has clearly been demonstrated.
How the Internet will protect itself
Redundancy of services is one way to help protect consumers. For example, if you can’t access Twitter, you can still access Facebook. But the best defense for all users is the ability for online service providers to stay ahead of attackers and invest in constantly improving technology and infrastructure. Better DDoS defenses will allow websites and applications to withstand the storm of the inevitable DDoS attacks that all major sites eventually get hit with.
Fortunately, the visibility of DDoS attacks over the last several years has helped educate the marketplace, and today most large companies have some basic level of DDoS protection in place which they can — and must — build upon over time. Unfortunately, the attack on Dyn illustrates there are still many gaps in the scale and efficacy of most company’s defenses.
Shuman Ghosemajumder is chief technology officer of Shape Security, a company that protects against the most dangerous application attacks enabled by automation, including credential stuffing attacks, application DDoS and unauthorized content scraping. He was previously head of global product management for click-fraud protection at Google. Reach him @ShapeSecurity.