Though the internet is the beating heart of all culture, commerce and communications, it’s easy to forget it is also a physical entity made up of servers, computers and a growing number of interconnected devices.
On Friday, Oct. 21, the world saw just how fragile the internet really is, as many of the world’s most popular websites ground to a sudden halt. For hours, users were unable to reach popular sites like PayPal, Reddit, Twitter, Pinterest, Etsy, Spotify, Netflix, Comcast, The New York Times – and even Bluefin’s PayConex payment gateway. These outages were caused by three distributed denial-of-service (DDoS) attacks launched on Dyn, a New Hampshire-based company that serves as one of the internet’s giant switchboards.
The Architecture of the Attack
How could an attack on a single company bring the internet to a halt? Domain Name Servers (DNS) are the phone operators of the internet. They maintain a directory of domain names and their corresponding IP addresses, redirecting users from easy-to-remember web address to a company’s actual servers.
To overwhelm DNS systems with a flood of requests that appear to come from unique devices, hackers use botnets to take over Wi-Fi routers, computers, internet-connected cameras, thermostats and DVRs. Like an operator struggling to answer 100 phones ringing off the hook, DNS servers become overwhelmed and shut down when requests come in by the tens of millions.
While the Internet of Things (IoT) has given our fridges the ability to reorder milk and our cars the capacity to guide us from place to place on their own, these low-security, internet-connected devices can be harnessed to create massive DNS attacks.
According to Dyn, a leading domain name system provider, the attack was “well planned and executed, coming from tens of millions of IP addresses at the same time.” Targeting much of the East Coast, the first attack hit at approximately 7 a.m. and was resolved by 9:30 a.m. Another attack struck in the middle of the day, targeting the West Coast and Europe, while a third wave hit around 4 p.m. and wasn’t resolved until early evening.
A month before Friday’s attack, the source code for the malware responsible for the assault was released on the dark web. Known as Mirai, the malware scans the internet for vulnerable IoT devices. Once installed, a seemingly harmless espresso maker can become a central control server for a DDoS attack. While these kinds of attacks are not traditional hacks where information is stolen, these low-security IoT devices are uniquely vulnerable to being enslaved by botnet malware.
Experts have long warned about the risks of companies using only a handful of providers for both their primary and secondary DNS. And while DNS service providers can handle multiple 20 to 60 Gbps attacks at a time, attacks over 1Tbps are so large that network infrastructure can’t handle the traffic. Last month, a Mirai-powered botnet took down the website of cyber security reporter Brian Krebs by delivering 665 Gbps of traffic, making it one of the largest DDoS attacks in history.
How it All Happened
To assemble a massive DDoS army, a hacker must first harness a massive number of insecure IoT devices. After last Friday’s attack, Hangzhou Xiongmai Technology, a vendor behind DVRs and internet-connected cameras, acknowledged manufacturing devices with weak passwords. While the Chinese company patched the flaw and now prompts users to change default passwords before using their products, devices running older versions of the firmware are still vulnerable.
Mirai is so effective because it scans the IoT looking for devices that ship with default logins, trying out more than 60 password combinations to gain access. Many of these devices come with default usernames and passwords like “admin,” “12345” or “password.” Through aggressive scanning, attackers can enlist over 10,000 devices a day, forming a massive, interconnected network of infected devices.
According to Dyn, tens of millions of discrete IP addresses associated with the Mirai botnet were part of last Friday’s attack. With tens of millions of these unsecure devices on the market, Intel estimates that these low-security devices could reach 200 billion by 2020, or six to 26 devices for every person alive.
Who is Behind the Attacks?
While the FBI and the Department of Homeland Security are investigating the attacks, the source and motivation behind them may be unknown for quite some time. A shadowy group, known as New World Hackers, has claimed responsibility for the attacks. They launched a similar DDoS attack against the BBC last year, and claim that Friday’s attack was “an annual power test” that was “actually against Russia.”
Regardless of whether the attacks were launched by Anonymous, hacktivists, extortionists, criminals or WikiLeaks supporters, as some have suggested, last Friday’s incident revealed just how vulnerable the country is to a large-scale attack.
In his widely read essay “Someone is Learning How to Take Down the Internet,” Bruce Schneier notes that someone has been testing the core defensive capabilities of the companies that provide critical internet services, in a kind of intelligence gathering effort to see how these companies defend themselves. Schneier believes the attacks have the precise mark of a large nation state like China or Russia, which might be probing to calibrate their own weapons of cyber war.
The Hidden Costs of Hacking
Last Friday’s widespread denial of service attack affected high-traffic websites like Twitter and Amazon, as well as smaller sites like our PayConex gateway. Though hackers did not gain unauthorized access to the system, PayConex was unavailable for several hours.
While the costs of Friday’s attack are still being calculated, the incident had real consequences for transaction-dependent sites like Etsy, eBay and Amazon. Sites like Shopify could have lost $12,000 per hour, while larger sites like Amazon could have lost $30 to $50 million per day.
If a similar attack were to happen during the upcoming holiday shopping season, it could have serious economic consequences for the U.S. economy. A 2012 study by the Ponemon Institute estimated that the average company’s cost for every minute of downtime during a DDoS attack was $22,000 to $100,000. Businesses under attack lose revenue from reduced web traffic, hardware and software replacements, the loss of productivity, and the loss of intellectual property and consumer trust.
The costs of cleaning up a DDoS attack pale in comparison to the cost of launching one, which can be carried out for as little as $5. With DDoS attacks on the rise and targeted companies struck an average of 27 times, in this new internet age, these attacks will continue to grow and the losses could increase dramatically.
A Brave New Future
As hackers attempt to destabilize the internet through targeted DDoS attacks, it has become abundantly clear that companies need to practice better DNS management. Hackers will continue to test the limits of the rapidly ageing DNS infrastructure until companies begin to diversify their DNS servers and manufacturers begin to employ strict password security on all IoT devices. Friday’s hackers took down a major piece of the internet for the better part of a day, and if left unchecked, they will continue to amass botnets that will make the internet more vulnerable to widespread outages. As DDoS attacks increase in size, scale, sophistication and duration, many experts now believe the U.S. government must regulate the Internet of Things or face botnet armies of increasing size.
For a country already wary of possible attacks that could interfere with the upcoming presidential election, last Friday’s hack offered a glimpse of the vulnerabilities that come with living in a highly connected society. For much of the day, sales plummeted, job productivity slowed, and people were unable to check their bank balances or even read news about the hackings. For better or worse, the attacks woke America up to a new reality where billions of household devices could be harnessed to take down the internet — the backbone of modern society. How citizens and experts approach this problem and search for solutions will ultimately determine what kind of internet-connected future we will live in.