On Friday, October 21st, attackers controlling a vast collection of internet connected devices launched a denial-of-service attack on web technology provider Dynamic Network Service, Inc., also know as Dyn. Dyn provides domain name system services to many popular websites, which is a key part of the “digital supply train“ which allows users to access websites like Twitter and Netflix. The attack serves as a validation for those that have long warned that the “Internet of things” (referring the the multitude of common household devices that are connected to the internet) has created an opportunity for hackers to infiltrate average American households. While many will dismiss Friday’s internet outage as a mere inconvenience, the attacks pose a threat to average Americans and large corporations alike.
Friday’s attack was a large distributed denial of service or DDoS, which aims to overwhelm servers with data requests from hundreds of thousands of internet devices. These often innocuous pieces of hardware (like thermostats or security cameras) sent requests to Dyn’s DNS servers in such volume that some of Dyn’s clients (like Amazon Web Services) experienced outages as well. In the past hackers have targeted home computers with malware in order to create a “botnet” or network of compromised computers that don’t appear compromised, but can be utilized at a hacker’s command to terrible effect. However this attack utilized a large number of internet connected devices, including some web cameras that have now been recalled by their Chinese manufacturer. While some devices don’t have robust protection mechanisms, others like Apple’s HomeKit implement tough security and privacy protections.
Some sources have speculated that attacks such as these are simply attempts by an unknown party to probe “the defenses of the companies that run critical pieces of the Internet.” This possibility adds an extra element or urgency to a situation that already involved the privacy and protection of millions of Americans. Many sources have highlighted the fragility and insecurity of Internet of things devices, and that such devices will continue to be likely targets for hackers in the future.
“Bob Gourley, co-founder of the cyber security consultancy Cognitio and former CTO of the Defense Intelligence Agency, said that DDoS attacks are up 75% this year, and that the average size of these attacks is growing.”
Experts attempting to pin down the motivation behind the attacks have cited reasons ranging from politics to revenge to money, but also suggested has been industrial sabotage. Researchers have found that many hackers sell the services of their botnets online, usually utilizing PayPal or Bitcoin to exchange payment for their services. Following the release of the source code for Mirai, a control software, criminal gangs have begun charging to employ it in cyberattacks. In fact, some individuals have explicitly advertised for sale the use of an internet of things botnet created from Mirai code, asking as little as $4,600 for control of 50,000 bots, while 100,000 cost only $7500.
Big businesses are in prime position to suffer from DDoS attacks, but can protect themselves by utilizing multiple vendors for core services like routing internet traffic in order to better protect themselves. However, Internet of things creators also have a duty to implement stronger standards and protocols for security for products that they sell to the American public. Most users of home computers are oblivious to potential security issues regarding their machines, and would be even less aware of the threat posed by unsecured internet connected devices. Hopefully this attack will serve as a wake up call for American companies, citizens, and the US government to take proactive steps to increase protections for internet connected devices and to secure critical internet infrastructure.