UPDATE: According to business intelligence specialist Flashpoint, the DDoS attack against Dyn is likely to have been caused by script kiddies. Suspected nation state-sponsors and hacktivists like New World Hackers are no longer considered to be the culprits.
What happens when IoT security vulnerabilities force devices we rely on every day to strike back? You can't tweet or listen to Spotify, among other things.
DDoS Attack Affects Millions
Many people suffered through a number of frustrating inconveniences such as I experienced last Friday morning as dozens of websites were taken offline for hours. The outage was caused by a Distributed Denial of Service (DDoS) attack against Dyn, one of the largest ISPs around. The leverage points behind the attack stemmed from an inherent IoT security issue: devices with default passwords that became infected with malware known as Mirai.
No Ska rhythms filled my car during my morning commute because Spotify was down. I stood in line for a good amount of time at Starbucks because their remote order app was offline. My first hours at work were impacted by my inability to login to Basecamp. (Other sites affected included Twitter, Netflix, The New York Times, Reddit, Pinterest, AirBnB and many more.)
While my experiences qualified as First World Problems, on a national level, lower productivity caused by an Internet outage can cost tens to hundreds of millions.
IoT Security Flaws Caused by Weak Passwords
Last Friday's outages were the result of millions of machines acting in a coordinated effort to make it difficult or impossible to access targeted sites. This morning it was reported that a group called New World Hackers claimed responsibility that includes members from Russia, China and India.
In other words, the DDoS attack was masterminded a group of people who took advantage of two fundamental elements of our networked lives: the Internet of Things and a Domain Network Service (DNS).
We've populated our lives with a huge array of devices, each capable of receiving and transmitting network traffic. When attacked, that network traffic is routed to its intended destination through the Internet's phone book, a DNS. IoT devices often have weak default passwords and are easy to infect.
On Friday, someone flipped the switch and that malware program affected millions of devices that sent huge volumes of network traffic to the servers belonging to Dyn. The malware was successful in overwhelming the firm's DNS servers and as a result, millions of people couldn't get onto their favorite sites.
Over the weekend Dyn reported that its servers were once again functioning normally.
One Chinese IoT technology company that produces DVRs and cameras had 500,000 of its own devices infected with Mirai malware, according to internet backbone provider Level 3 Communications. The company admitted that IoT security became vulnerable because their products are preset with weak default passwords that their customers often do not change.
According to The Register, "Source code for the malware leaked online last month, allowing relatively unskilled cybercriminals to use PVRs, routers and more as a platform to launch denial of service attacks."
To make matters worse, yesterday afternoon the hacktivst group Anonymous tweeted "DDos attack comin'.
The Role We Play
If any of those affected machines were attached to your network, your company helped foot the bill to carry out the cyber-attack. In a typical DDoS attack, the infected machines send huge volumes of traffic continuously until the attack source is identified and shut down.
That means we have a role to play in preventing and thwarting these attacks in the future. The pervasiveness and persistence of cybercriminal activity and the lack of IoT security means it is likely that some of the devices on your network are infected with malware. Mitigating the risk of data loss or participation in DDoS attacks, therefore, requires effective monitoring.
For example, a cost-effective network traffic analysis tool alerts IT teams to unusual spikes in traffic in time to allow remediation before there is an impact to your network or internet bill. Log management and analysis is also a means of identifying suspicious activity.
There is no end in sight to the trend toward increasing deployments of ever more intelligent networked devices. Nor is there any evidence that cybercriminal activity will decrease. That puts the onus on IT organizations to increase their vigilance through more effective monitoring paradigms.