When the Mirai and Bashlight botnet attacks earlier this month unleashed a flood of distributed denial of service attacks against Dyn, one of the largest domain name service providers in the world, ripples of outages across the Internet sent the security industry and service providers into a state of high alert.
When it became evident that the attacks were a least in part being initiated by Internet of Things devices, the way we think about security changed and the way we need to secure "everything" became a hot topic of great concern across the industry.
We caught up with the VP and CTO of Corero, Dave Larson, to learn more about this "October Surprise" and how it is impacting the landscape given increasing data showing the DDoS attack was mounted by the Mirai botnet, which includes smart home Wi-Fi routers and IP video cameras which began sending massive numbers of requests to Dyn's DNS service after the code for the Mirai botnet was released publicly.
"As extensive as this attack was, and as much bandwidth as it ate up, this could be just the tip of the iceberg," Larson said. "The IoT is still so new, and is scaling so fast, that there are countless ways to hack into things to set off DDoS attacks. We've spent decades and billions of dollars securing computers, smartphones and servers, and now must immediately and comprehensively address the layers of security required as a multitude of things are being connected to the Internet."
Mirai malware could signal the beginning of a new level of nefarious, criminal activity, as code is released as it was earlier this month, and attackers start testing the limits, using IoT devices as their bots. The perpetrator of a massive Bashlight distributed denial-of-service (DDoS) attack on the KrebsOnSecurity website last month, for example, publicly released the code used, escalating security analysts' warnings that this pattern will make it very easy for others to initiate similar and much larger, even disastrous attacks.
"Mirai malware looks for and attacks connected consumer devices that are protected only with default passwords and user names," Larson explained. "Because there is so little awareness about the vulnerabilities associated with something like a simple WiFi router, Nest thermostat, Ring doorbell or IP security camera, consumers are setting these things up without changing the password. Since the defaults are the same in mass produced devices, the attackers' code can go in and begin sending requests by the millions, flooding the Internet within minutes."
Larson suggested the industry come together to solve for these issues before more attacks prevail, including the Internet Service Providers whose very businesses could be destroyed particularly as the attackers become more savvy and share more with each other in their quest to disrupt the connected world. "With all the talk about Wikileaks, the media is paying a lot of attention to the political dramas caused by other forms of invasions," Larson said. "But when you think about attacks on the Internet of Things escalating from consumer devices to businesses, enterprises, government agencies, utilities and more - you realize it is time we organized a public-private effort to more aggressively secure every endpoint so entire networks including cloud services don't collapse and leave us vulnerable to other forms of terrorism."
Mirai was designed explicitly to create botnets from IoT devices, infecting IoT systems running BusyBox, an executable file that runs on small versions of Unix, targeting home routers and network-enabled cameras, digital video recorders and other smart home endpoints, and along with the Bashlight botnet, were the largest DDoS attacks in history. But according to Larson, these could just be test runs that went well for the attackers that may inform much larger invasions in the near future.
"It's frighteningly simple to attack the IoT compared to having to phish for human error in order to compromise a PC or phone," Larson said. "The service providers like Level 3, AT&T, Verizon, Time Warner, Century Link and more, here in the U.S., are paying attention because regardless of where a DDoS attack comes from, if they are not prepared their services will go down, and essential cloud based services for businesses, not just consumers, can be compromised. When we're not connected, our lives and businesses can come to a standstill. When emergency services no longer work when networks go down, you can imagine the consequences particularly if DDoS attacks are part of a larger terrorist plot."
What can consumers do to ensure their smart homes do not become part of these attacks?
"It may sound overly simple," Larson said, "but change your user name when you install the device, and change the password. Common and default passwords are so easy to hack, and when your DVR is attacked, that one device can open up the spread of the attack to other systems including your computer where the attackers can steal bank account and credit card information, and more."
What can companies like Dyn do to prevent future attacks?
"In addition to educating their customers, companies who provide hosting and other Internet services must add layers of security management software in order to immediately sense and stop new attacks," Larson explained. "And all these service providers can benefit from continuing to collaborate, sharing real time information and building standards while adopting the highest quality security solutions since Internet traffic is constantly being shared through interconnection agreements."
The Mirai botnet attack took down a big part of Twitter's network - which may explain why it got the media coverage it did, given the obsession with Twitter as part of our new political process. Hundreds of sites were taken down, including Wix, Box, Playstaton Network and GitHub causing hours of disruption for those businesses and their customers and developers who, for example, support applications on the GitHub platform (causing endless combinations of application disruption).
What should government agencies and other organizations do to reduce and eliminate these criminal activities being launched on the Internet of Things?
"Surely the Department of Homeland Security is all over this issue," Larson said. "While we all recognize the obvious benefits of the IoT, until we are able to secure things and the networks they traverse, the promise of the IoT's value will be clouded by risk that we've multiplied the entry points for attacks exponentially. There are methods, there is technology to address this early on so we are actively managing this brave new world rather than having to respond and at a level of speed, volume and bandwidth consumption that could have crippling effects."
Dyn a few days ago estimated as many as 100,000 endpoints were involved, less than original reports of "tens of millions of IP addresses", but one source estimated that the volume of the attack was as high as 1.2 Terabytes per second.
Dyn's EVP of Products, Scott Hilton, issued a written statement saying "Early observations of the TCP attack volume from a few of our data centers indicate packet flow bursts 40 to 50 times higher than normal. This magnitude does not take into account a significant portion of traffic that never reached Dyn due to our own mitigation efforts, as well as the mitigation of upstream providers. There have been some reports of a magnitude in the 1.2 Tbps range; at this time, we are unable to verify that claim."
Hilton's analysis also said "the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data, but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets," Hilton wrote. "Dyn is collaborating in an ongoing criminal investigation of the attack and will not speculate regarding the motivation or the identity of the attackers."
Dyn also used mitigation techniques, including "traffic-shaping incoming traffic, rebalancing of that traffic by manipulation of anycast policies, application of internal filtering and deployment of scrubbing services."
"Real time mitigation works," Larson said. "We're living in a real time world, now expanded and continually expanding to include smart home and smart car endpoints as well as wearables and other sensing products. Real time protection against a continuously evolving spectrum of DDoS attacks that have the potential to impact downstream or hosted services is where our customers are moving and moving fast. While consumers and businesses are naturally impacted by these attacks, the bigger threat is that of voluminous impact on network infrastructure, online services and exposure of confidential data. The more we can automate the security of the IoT in real time, all the time, the less we risk the potential of catastrophic events that reverberate through multiple, interconnected networks that make up the evolving Internet."
Edited by
Ken Briodagh
