Massive DDoS Attack Shuts Down Major Websites; Raises Concern Over IoT Vulnerabilities

By now you’ve probably heard about last week’s massive DDoS attack affecting the Dyn DNS provider and their clients. Here’s what happened, and why it’s so concerning.

The Basics: What’s a DDoS Attack?

DDoS stands for ‘Distributed Denial of Service’ – which is a type of DOS (Denial of Service) attack. During a DDoS attack, the attacker “floods” a targeted network with useless incoming traffic from a great number of sources, effectively overloading the system and making it inaccessible. A DDoS attack enlists a network of infected computers to conduct the attack, which is referred to as a “botnet.” A botnet is created by spreading malicious software to private computers without the owners’ knowledge (this can be done through email, websites, social media). Once the malicious software is spread the machines can be controlled remotely to conduct a DDoS attack – without the owners even knowing! These types of attacks are difficult to stop, as blocking a single IP is ineffective and differentiating between legitimate and malicious traffic can be difficult. Learn more about the basics of a DDoS attack.

Sites Inaccessible: What Happened Last Week?

A massive one of these DDoS attacks, reportedly the largest of this kind in history, was launched against Dyn – a DNS provider – last week. DNS stands for domain name system, and it translates hostnames (IE www.goldenfrog.com) into computer-readable IP addresses to allow your computer to communicate with the desired host. Dyn is a large DNS provider and hosts many major sites including Twitter and reddit. The DDoS attack against Dyn was launched using one primary “weapon” – the Mirai botnet. In this case, the botnet was not comprised of computers but of Internet of Things (IoT) connected devices (for example, digital cameras and DVRs).  As a result, websites hosted by Dyn’s DNS were inaccessible to users – this included Twitter, the Guardian, Netflix, Reddit, CNN and many others – for several hours. Over 100,000 devices were reportedly used in this attack, which was described as twice as large as any previous DDoS attack. A similar attack was launched against online security expert Krebs on Security’s site in September.

What Does this Mean for Security?

In addition to the inherent privacy and security concerns associated with DDoS attacks and botnets, there are other reasons this attack is notable.

Firstly, the number and type of sites affected. As Dyn is a large DNS provider many sites were down during the DDos attack, which affected a great number of users. Dyn was very transparent and responsive to the event, but it’s still a reminder about the importance of trusting your provider, and understanding the relationships many companies have with third-party hosts or providers. At VyprVPN, we own and run 100% of our network including our DNS – VyprDNS. In owning our DNS we are able to ensure it’s zero-knowledge (we do not collect information about users), and we are also able to defeat censorship to offer access to a free and open Internet. We were not affected in this particular DDoS attack.

Secondly, the use of the IoT in the attack is concerning. We’ve written about the Internet of Things before, and the inherent vulnerabilities in so many connected devices. While many initial IoT concerns were centered around privacy threats or data collection, an exploitation along the lines and scale of the Mirai botnet may not have been previously considered. A large number of IoT devices means a large number of devices to exploit and weaponize – it’s concerning to imagine what other risks and vulnerabilities might be exploited in the future.

Sources: The Guardian, Dyn, Incapsula, Krebs on Security