Dyn DDoS Attacks – Blaming the IoT and a bunch of other stuff

Share Your Thoughts: Facebooktwittergoogle_pluslinkedin

“In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” Jeff Jarmoc, Head of Security, Salesforce

If you thought that the internet broke on Friday October 24, 2016, it sort of did.

brian krebs mirai Botnet cartoonAs detailed on InfoWorld, the DDoS attack against Dyn that began Friday went far past taking down Dyn’s servers. Beyond the big-name outages, organizations could not access important corporate applications or perform critical business operations.

When the attack is against core internet infrastructure like DNS, the collateral damage is huge. But as is usually the case with indirect victims, there isn’t much they could have done differently. With the growth in size, sophistication, and frequency of DDoS attacks, network administrators have been adding anti-DDoS defenses to their infrastructure. In this case, none of those measures would have helped (other than Dyn, and it’s a solid bet it had made significant investments in this area already) because the attack traffic didn’t hit their networks at all. Enterprises relying on SaaS apps had no choice but to sit and wait and hope their providers got back online as soon as possible.

From the SaaS providers’ perspective, their options are limited, since again, the attack is happening upstream. However, they may have been able to reduce the impact somewhat if they had multiple DNS providers.” (Fahmida Rashid for InfoWorld)

As one of the largest ISPs in the world, Dyn going offline took down a significant chunk of the DNS, the internet’s address directory. DNS lets users connect to websites and online services around the world using easy-to-remember addresses instead of the server’s numeric IP designation. Thus, when the servers are unavailable, internet users cannot access any of those belonging to organizations that are Dyn customers.

TechCrunch: Dyn said last week it identified “10s of millions” of unique IP addresses involved in the massive botnet DDoS attack on its managed DNS services, which knocked out Twitter, Amazon and others sites for many users. At least some of those devices are now subject to a recall, with Chinese electronics company Hangzhou Xiongmai recalling web cameras using its components that were identified as making up a good portion of the devices involved.

“The DDoS attacks are normally against the largest providers; this makes sense as they have more of an impact that way. Merely adding complexity to a company’s security posture by adding another DNS probably isn’t the answer for most companies.

Having a Cyber Incident Response Plan to address the National Institute of Standards and Technology (NIST) four phases of Cyber Security — Preparation, Detection/Analysis, Containment/Eradication/Recovery and Post Incident Activity is the best way to be prepared.  Having a current communications plan and road-map including State/Federal and Regulatory notification requirements, as well as an updated cyber and  crime insurance policy puts a company in the best position to deal with a Cyber event.

The average company does not have enough IT dollars in its budget to prevent these events (i.e.: Amazon, Twitter, Reddit) so being prepared is the best use of a company’s limited resources.”

Jack Healey for Firestorm

TechRepublic boiled it down into five key points:

1: Not Just One Attack

The DDoS attack on Dyn was actually a series of attacks that took place at different times throughout the day Friday, and affected different sets of customers.

2. The attack was sophisticated

According to its formal statement, Dyn estimated that the attack involved “10s of millions of IP addresses,” making it highly distributed and sophisticated. The full impact of the attack and all of the potential sources have not yet been determined.

3. IoT is to blame

While all of the potential sources have not yet been identified, Dyn confirmed, with help from Flashpoint and Akamai, that devices infected with the Mirai botnet were part of the attack. The Mirai botnet looks for certain Internet of Things (IoT) and smart home devices, such as those that are using default usernames and passwords, and turns them into bots to use in cyberattacks.

4. This isn’t the end

While unique in its scale, the Dyn attack could act as a blueprint for smaller attacks as well. With the source code for the Mirai botnet getting released into the wild in early October, it could make it easier and cheaper for attacks like this one to be conducted.

l3outage-580x330

5. The IoT industry needs stricter standards

One of the most salient points from the attack on Dyn is that it highlights the need for stronger standards and protocols for security in the IoT industry.

Dyn’s Official Statement

“It’s likely that at this point you’ve seen some of the many news accounts of the Distributed Denial of Service (DDoS) attack Dyn sustained against our Managed DNS infrastructure this past Friday, October 21. We’d like to take this opportunity to share additional details and context regarding the attack. At the time of this writing, we are carefully monitoring for any additional attacks. Please note that our investigation regarding root cause continues and will be the topic of future updates. It is worth noting that we are unlikely to share all details of the attack and our mitigation efforts to preserve future defenses.

I also don’t want to get too far into this post without:

Acknowledging the tremendous efforts of Dyn’s operations and support teams in doing battle with what’s likely to be seen as an historic attack.

Acknowledging the tremendous support of Dyn’s customers, many of whom reached out to support our mitigation efforts even as they were impacted. Service to our customers is always our number one priority, and we appreciate their understanding as that commitment means Dyn is often the first responder of the internet.

Thanking our partners in the technology community, from the operations teams of the world’s top internet companies, to law enforcement and the standards community, to our competition and vendors, we’re humbled and grateful for the outpouring of support.

Attack Timeline
Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different (more on that later). Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. Unfortunately, during that time, internet users directed to Dyn servers on the East Coast of the US were unable to reach some of our customers’ sites, including some of the marquee brands of the internet. We should note that Dyn did not experience a system-wide outage at any time – for example, users accessing these sites on the West Coast would have been successful.

After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET. Again, at no time was there a network-wide outage, though some customers would have seen extended latency delays during that time.

News reports of a third attack wave were verified by Dyn based on our information. While there was a third attack attempted, we were able to successfully mitigate it without customer impact.

Dyn’s operations and security teams initiated our mitigation and customer communications process through our incident management system. We practice and prepare for scenarios like this on a regular basis, and we run constantly evolving playbooks and work with mitigation partners to address scenarios like these.

What We Know
At this point we know this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses. We are conducting a thorough root cause and forensic analysis, and will report what we know in a responsible fashion. The nature and source of the attack is under investigation, but it was a sophisticated attack across multiple attack vectors and internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.

Thank You Internet Community
On behalf of Dyn, I’d like to extend our sincere thanks and appreciation to the entire internet infrastructure community for their ongoing show of support. We’re proud of the way the Dyn team and the internet community of which we’re a part came together to meet yesterday’s challenge. Dyn is collaborating with the law enforcement community, other service providers, and members of the internet community who have helped and offered to help. The number and type of attacks, the duration, the scale, and the complexity of these attacks are all on the rise. As a company, we have for years worked closely with the internet community to assist when others encountered attacks like these and will continue to do so.

It is said that eternal vigilance is the price of liberty. As a company and individuals, we’re committed to a free and open internet, which has been the source of so much innovation. We must continue to work together to make the internet a more resilient place to work, play and communicate. That’s our commercial vision as a company and our collective mission as an internet infrastructure community. Thank you.

Kyle York
Chief Strategy Officer

Firestorm President Jim Satterfield:

Willie Sutton, gave us ‘Sutton’s Law’ when asked why he robbed banks. His answer, Because that’s where the money is.” Today, the 80% of the value of corporate assets has shifted from physical to virtual.

Why the IoT? Because that’s where the future money is.

We know that every threat is perpetrated by one or more adversaries and that there always exists some motivation for adversaries.  It’s important to identify (as possible) the motivation driving a threat, to determine if any company information assets will be a target.

  • Was this recent attack a test?
  • Was this recent attack a distraction for a more substantial theft or cyber incident?
  • Were your web properties affected? How did your teams respond and what vulnerabilities and gaps did you identify?
  • Were your customers affected? A 2014 survey estimated the cost of a successful DDoS attack at $40000 per hour. Can you afford that?

“If private companies can’t figure out a way to improve security, you can imagine what happens next. Faced with attacks that cripple private and public infrastructure, governments intervene because the market failed. Governments don’t always have a light hand, so it’s not the preferred solution, but companies and entire industries aren’t stepping up to the challenge. The market remains incompetent”

Glenn Fleishman Senior Contributor, Macworld

Organizations must be prepared for all types of cyber incidents including those emanating from coffeepot bots, break room refrigerators, CCTV video cameras and digital video recorders. Data is everywhere including personal data (PCI, PHI, PII) and intellectual property. These present rich targets of opportunity and can be accessed in variety of ways and at multiple levels.

A characteristic of recent attacks is that they have and can penetrate perimeter data security defenses through multiple channels to exploit all layers of information security. Knowing what changes to make now, will mitigate an impending cyber incident, improve operational performance and protect stakeholders.

What do you need to do now?

  • Develop and maintain a Cyber Threat Intelligence Program that includes IoT vulnerabilities to identify cyber threats and coordinate response to them.
  • Maintain a current Information Asset Inventory
  • Increase employee awareness of cyber breach warnings signs and indicators
  • Train employees on what to do and not do such as immediately changing default passwords on smart-devices
  • Establish an enterprise-wide Cyber Incident Response Plan to respond to and manage the business impacts of a cyber incident
  • Prepare a Cyber Incident Crisis Communications Plan with Message Maps
  • Conduct a Hotwash after any cyber incident and implement lessons learned
  • Identify the external resources needed now to support your cyber incident response.
Share Your Thoughts: Facebooktwittergoogle_pluslinkedin

HOW CAN WE HELP YOU?