Corporate Responsibility

Lessons from the Dyn DDoS Attack

  • Share
    Two clicks for more data privacy: click here to activate the button and send your recommendation. Data will be transfered as soon as the activation occurs.
  • Print
  • Read out

Article by Bruce Schneier, US-American expert for cryptography and computer security.

Bruce Schneier

Last month, someone took down numerous popular websites in a massive distributed denial-of-service attack against the domain name provider Dyn. Denial-of-service attacks are not new, and not sophisticated. The attacker sends a massive amount of traffic to the victim, causing his system to slow to a crawl, and eventually crash. There are more or less clever variants, but basically, it's a data-pipe-size battle between attacker and victim. If the defender has a larger capacity to receive and process data, he'll win. If the attacker can throw more data than the victim can process, he'll win.

The attacker can build himself a giant data cannon, but that's expensive. Much smarter is for them to recruit millions of innocent computers on the Internet. This is the "distributed" part of the DDoS attack, and pretty much how it's worked for decades. Hackers infect innocent computers around the Internet and recruit them into a botnet, and then target that botnet against a single victim.

You can imagine how it might work in the real world. If I can trick tens of thousands of others to order pizzas to be delivered to your house at the same time, I can clog up your street and prevent any legitimate traffic from getting through. If I can trick many millions, I might be able to crush your house from the weight. That's a DDoS attack; it's simple brute force.

As you'd expect, DDoSers have various motives. The attacks started out as a way to show off, then quickly transitioned to a method of intimidation - or of just getting back at someone you didn't like. More recently, they've become vehicles of protest. In 2013, the hacker group Anonymous petitioned the White House to recognize DDoS attacks as a legitimate form of protest. Criminals have used these attacks as a means of extortion, although one group found that just the fear of attack was enough. Militaries are also thinking about DDoS as a tool in their cyberwar arsenals. A 2007 DDoS attack against Estonia was blamed on Russia and widely called an act of cyberwar.

The DDoS attack against Dyn two weeks ago was nothing new, but illustrates several important trends in computer security.

These attack techniques are broadly available. Fully capable DDoS attack tools are available for free download. Criminal groups offer DDoS services for hire. The particular attack technique used against Dyn was first used a month earlier. It's called Mirai, and since the source code was released four weeks ago, over a dozen botnets have incorporated the code.

The Dyn attacks were probably not originated by a government. The perpetrators were most likely hackers mad at Dyn for helping Brian Krebs identify - and the FBI arrest - two Israeli hackers who were running a DDoS-for-hire ring. But recently I have written about probing DDoS attacks against Internet infrastructure companies that appear to be perpetrated by a nation-state. But, honestly, we don't know for sure.

This is important. Software spreads capabilities. The smartest attacker needs to figure out the attack and write the software; after that, anyone can use it. There's not even much of a difference between government and criminal attacks.  In December 2014, there was a legitimate debate in the security community as to whether the massive attack against Sony had been perpetrated by a nation-state with a $20 billion military budget or a couple of guys in a basement somewhere. The Internet is the only place where we can't tell the difference. Everyone uses the same tools, the same techniques, and the same tactics.

These attacks are getting larger. The Dyn DDoS attack set a record at 1.2 terabits per second. The previous record holder was the attack against cybersecurity journalist Brian Krebs a month previously: 620 gigabits per second. This is much larger than required to knock the typical website offline. A year ago it was unheard of. Now it occurs regularly.

The botnets attacking Dyn and Brian Krebs consisted largely of insecure Internet-of-Things devices: webcams, digital video recorders, routers, and so on. This isn't new, either. We've already seen Internet-enabled refrigerators and TVs used in DDoS botnets. But again, the scale is bigger now.  In 2014, the news was hundreds of thousands of IoT devices; the Dyn attack used millions. Analysts expect the IoT to increase the number of things on the Internet by a factor of ten or more; expect these attacks to similarly increase.

The problem is that these IoT devices are insecure and likely to remain that way. The economics of Internet security don't trickle down to the Internet of Things. Commenting on the Krebs attack last month, I wrote:

The market can't fix this because neither the buyer nor the seller cares. Think of all the CCTV cameras and DVRs used in the attack against Brian Krebs. The owners of those devices don't care. Their devices were cheap to buy, they still work, and they don't even know Brian. The sellers of those devices don't care: they're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.

To be fair, one company that made some of the insecure things used in these attacks has recalled its insecure webcams. But this is more of a publicity stunt than anything else; I would be surprised if they got many devices back. We already know that the reputational damage from having your insecure software made public isn't large, and doesn't last. At this point, the market still largely rewards sacrificing security in favor of price and time to market.

DDoS prevention works best deep in the network, where the pipes are the largest and the capability to identify and block the attacks is the most evident. But the backbone providers have no incentive to do this. They don't feel the pain when the attacks occur, and they have no way of billing for the service when they provide it. So they let the attacks through, and force the victims to defend themselves. In many ways, this is similar to the spam problem. It, too, is best dealt with in the backbone; but similar economics dump the problem onto the endpoints.

We're unlikely to get any regulation forcing backbone companies to clean up either DDoS attacks or spam, just as we are unlikely to get any regulations forcing IoT manufacturers to make their systems secure. This is me again:

What this all means is that the IoT will remain insecure unless government steps in and fixes the problem. When we have market failures, government is the only solution. The government could impose security regulations on IoT manufacturers, forcing them to make their devices secure even though their customers don't care. They could impose liabilities on manufacturers, allowing people like Brian Krebs to sue them. Any of these would raise the cost of insecurity and give companies incentives to spend money making their devices secure.

That leaves the victims to pay. This is where we are in much of computer security. Because the hardware, software, and networks we use are so insecure, we have to pay an entire industry to provide after-the-fact security. It's basically a tax on the honest.

There are solutions you can buy. Many companies offer DDoS protection, although they're generally calibrated to the older, smaller attacks. We can safely assume that they'll up their offerings, although the cost might be prohibitive for many users. Understand your risks. Buy mitigation if you need it, but understand its limitations. Know the attacks are possible and will succeed if large enough. And the attacks are getting larger all the time. Prepare for that.

Magenta Secutity

Magenta security congress 2016

IT security is very important, but do companies protect themselves in the right way? Deutsche Telekom informs about trends and solutions in the field of security.

FAQ