A Denial of Service (DoS) attack is simple in concept: A malicious party sends millions of innocent-looking requests to a company’s website in an attempt to so overwhelm the server that it not only has difficulty responding to legitimate requests, it crashes altogether. Think of a mob of thousands of pranksters trying to cram their way into the revolving doors of Macy’s on Christmas Eve. They all look like regular customers and the security guards have no way to tell them apart. So they shut the doors until the crowd drifts away, then hope only the real customers return.
Improvements in the ability to detect the sources of all of those website requests and block them led to the development of the Distributed Denial of Service (DDoS) technique. In some cases, originating IP addresses are spoofed, but more sophisticated bad guys can also infect thousands or millions of computers with robot software that lies in wait, unseen, until a designated time when all of these “bots” begin sending requests to the targeted site. Each individual request looks legitimate, and the sources are no longer identifiable as malicious, so there is no simple way to determine which to block and which to allow. Analysis of traffic and content patterns takes time, and usually requires active human involvement, so it can take hours to restore service. For a commercial website, this can spell millions in lost revenue.
For a health care site or a public utility or a security installation, the consequences can be far more dire.
DDoS attacks are not theoretical, and they’re not new. The motivations vary widely. Extortionists have targeted banks in Greece and Sweden. Members of Anonymous went after Paypal, Visa and MasterCard in retaliation for their refusal to process donations to WikiLeaks.. Political attacks against sites in Estonia and Georgia were attributed to Russian nationalists. Some attacks are done for hacker bragging rights, which was probably the case when they went after global spam-fighting site Spamhaus.
Those are the ones we know about. Banks in particular don’t like calling attention to successful hacks because of the potential erosion in customer confidence about their security measures, but some DDoS attacks against banks were among the worst-case scenarios described by the NSA.
One important variation on the DDoS is going after an intermediary instead of a single company. This is what happened last Friday, when a company called Dyn was targeted. Based in New Hampshire, Dyn routes Internet traffic for a variety of major companies with web-based assets. When they got hit with millions of phony requests, it affected such titans as Amazon, Twitter and Netflix.
I first learned of the attack when my home automation system failed. It was a mystery until I received an email from the manufacturer telling me about what had happened.
What they didn’t tell me is that my home automation itself might have played a part in the Dyn attack. Because while a DDoS attack against an Internet intermediary isn’t new, the way this one was carried out was. Turns out that the bots weren’t planted in personal computers; they were planted in smart home devices like cameras and DVRs and, for all we know, baby monitors, thermostats and cable set-top boxes.
These devices communicate in a variety of ways, through hubs, WiFi routers, or directly through broadband cable connections. When they become infected with malware, they can collectively spew millions of DoS requests that are seen to come from millions of unrelated IP addresses, because that’s exactly what’s happening. My service provider has no way to tell whether my security camera’s request for a firmware download or my DVR sending a new recording setting to their cloud is legitimate or part of an attempt to choke their servers.
The creation of this particular botnet began with a piece of software called Mirai. The software itself is complicated but it’s very to use, so when it was released by persons unknown to the hacker underground a few weeks ago, it didn’t take long for a lot of bad guys to start spreading it around. Mirai infects computers when people get fooled by “phishing” emails into launching attached or remote software. From there, the software plants copies of itself into connected home devices. So even if you periodically run scans on your computer and clean out malware, it can still be resident in your home systems.
What makes a Mirai-based attack so difficult to fight is the breadth of what’s called the “attack surface,” the millions of individual IP addresses serving as the sources making up the firehose of messages. They’re all over the world, and can be turned on and off in massive blocks so they seem to come from different parts of the globe at different times.
When it became apparent to security experts where Friday’s attacks were coming from, the question remained as to why it was so easy to infect these smart home devices. Part of the answer lies in what might be called a “failure of imagination,” our inability to perceive or believe the threat. Some of us are fairly diligent about keeping our computers safe but tend not to pay much attention to connected devices. We’re warned to keep the firmware updated but, unless there’s a functional reason to do so, we pretty much don’t bother.
What emerged over the weekend is that it wouldn’t have made much difference even had we done everything the instructions tell us to do. When you attach a lot of shoddily manufactured devices to your home system, there’s going to be trouble. This time, it came from at least half a million devices made by Hangzhou Xiongmai Technology in China in 2015 using embedded controllers that all had weak access codes that couldn’t be changed by consumers. Mirai easily guessed the factory default usernames and passwords and went to work, and what did we owners care? Even while wreaking worldwide havoc, our devices continued to dutifully turn lights on and off, adjust the temperature and deliver re-runs of “Happy Days.”
Except…the malware is still inside the “things” of our Internet of Things ecosystems. And we don’t know what else it can do. It isn’t a great leap to think that it could send camera images out to someone who can figure out that no one is home and then remotely unbolt our smart doors. If we could sabotage Iran’s nuclear manufacturing systems with a computer virus, is it so hard to believe that they could compromise ours with a bot that came in through a motion sensor?
To paraphrase Salesforce’s head of security: Could a system designed to withstand a nuclear attack be undone by a toaster?
Hangzhou Xiongmai has since updated its firmware to require a password change from the defaults, but to think that their products represent the only vulnerability is naive. Worse yet, as described by IP Architects president John Pironti in a recent TechRepublic article, is that the malware embedded in our smart home devices isn’t necessarily limited to carrying out DDoS attacks: That may have been their first use, but “these same devices,” he said, “are likely to be used as entry points to the internal networks they connect to as well.”
In other words, not only can the Mirai software launch attacks from the vulnerable devices it first attached to; it can also infect other, better protected devices anywhere in the connected system, bring them into the botnet and carry out other forms of digital destruction. And as long as we’re dooming-and-glooming here, it’s worth pointing out that the source code for Mirai was made public last week, making it even easier and cheaper for attacks to get launched.
So do us all a favor: Download firmware updates for all your connected devices and change their default passwords. Do it now, then ask your friends and colleagues to do the same.