Who’s to Blame for Friday’s Brutal Cyber Assault – Everything We Know So Far
Criminals launched a massive cyber assault on Dyn, one of the United States' critical internet infrastructure companies earlier this Friday. As reported in a continually updated piece, the DDoS attack lasted for hours, causing outages and sluggish speeds for many of Dyn's customers, which include some of the biggest companies in the world.
DDoS attack, powered by an army of insecure Internet of Things
A distributed denial of service (DDoS) is when an attacker sends a large number of packets to the target website. Using hacked or improperly configured devices, cyber criminals can use millions of these insecure devices to send a flurry of traffic to the target. The servers are overwhelmed by this garbage traffic, and ultimately can't handle the legitimate traffic that they receive. This creates slow speeds or completely shuts down the websites.
Today's attack was more complex as Dyn manages DNS services of a number of large companies. The Domain Name System is how computers translate a human-readable web address into the correct machine code, linking to the intended website. Every time you visit a website or send an email, your computer is sending a DNS lookup request to your ISP to route the traffic to the target website.
We are continuing to mitigate a DDoS against our Managed DNS network. For more information visit our status page.
— Dyn (@Dyn) October 21, 2016
Because the attack targeted Dyn, that in itself manages a number of sites, the staggering DDoS attack managed to take huge swaths of the web offline, disrupting popular sites like Twitter, Netflix, Spotify, Reddit, Visa and several others.
Attack doesn't appear to be of a political nature - as yet
We saw a number of theories on Twitter, from linking the attack to the US government trying to limit access to the Wikileaks, to Russia retaliating against US accusations. Details have now started to emerge about the nature of the attack, and it seems that the Internet of Things and vindictive hackers are to be blamed.
While Russia, China and the US itself may get more votes for trying to take down the internet, so far today's attack doesn't appear to be of a political nature. Noted journalist Brian Krebs wrote earlier today that the "attack on DYN comes just hours after DYN researcher Doug Madory presented a talk on DDoS attacks." Hackers had previously used the same Mirai malware to launch then-largest DDoS attack to take down Krebs' website after he published a story on which Madory and Krebs had collaborated. [Madory's talk is available here]
There is no evidence to indicate if the attack indeed was a retaliation to Madory's talk about DDoS and Mirai, but at this point, it looks highly likely.
A senior US intelligence official also invalidated any links to state-sponsored attacks. "The current assessment is that this is a classic case of internet vandalism," NBC News reported. "The official said it does not appear at this point to be any kind of state-sponsored or directed attack. Impossible to say how long it will take to say who's responsible, the official added."
Meet Mirai - the beginning of a dark future for the internet security
Mirai is one of the two malware families that are currently being used to launch IoT-based DDoS attacks. Think about IP cameras, routers, printers, video recorders, and other Internet of Things. The malware essentially scours the web for IoT devices that have close to no security protections with factory-default usernames and passwords, and then enlists these devices. Creating a botnet, millions of these enlisted devices spread geographically throw junk traffic at the intended target, until it can no longer serve the legitimate visitors.
Hackers leaked the source code of this extremely effective malware, earlier this month. This malware essentially turns IoT devices into weapons to launch DDoS attacks that cripple the services. Following the release of this malware online, malicious hackers and criminals started creating their own "botnets." Reports published ahead of today's high-level attack had claimed that as many as 500,000 devices are infected by Mirai.
While it's yet to be officially said if Mirai IoT botnets are behind today's attack, several independent security firms have confirmed the link. Security firm Flashpoint is reporting that they have seen indications that a Mirai-based botnet is indeed involved in the attack on Dyn today. "At least one Mirai [control server] issued an attack command to hit Dyn. Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack.”
Level 3 Communications, one of the world’s largest internet backbone providers also confirmed Mirai's usage in today's assault. "We are seeing attacks coming from a number of different locations. We’re seeing attacks coming from an Internet of Things botnet that we identified called Mirai, also involved in this attack," Dale Drew, chief security officer said on a livestream on Friday afternoon.
"What they're actually doing is moving around the world with each attack," Kyle York, Dyn Chief Strategy Officer said Friday afternoon.
Hmm, so who released Mirai and why
The creator of Mirai released the code to the public, guaranteeing an increasing number of DDoS attacks. Using the nickname "Anna-senpai," the hacker said that they were releasing the code in response to increased scrutiny from the security industry. Following the release, the malware is growing at a speed that cannot be easily contained. While appearing to be altruistic, the free availability of Mirai ensured that investigators cannot track the perpetrators. Any hacker, independent or state-sponsored could be behind today’s cyber assault.
"It’s an open question why Anna-senpai released the source code for Mirai," Krebs wrote. "But it’s unlikely to have been an altruistic gesture: Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home."
Eyal Benishti, CEO of IronScales, a cyber security firm dealing with phishing attacks and an expert at DDoS attacks, commented while talking to Wccftech, "a bit more than a month ago Bruce Shneir said, that someone is learning how to take down the internet using IoT. And today we are witnessing a major attack using IoT. What makes this attack so difficult to mitigate right at the offset is the fact that these bots are not only geographically spread all across the world, they may as well be generating legitimate traffic. That in turn will make it very hard for the defender (DYN) to cherry pick and block the right IPs."
Anticipating what we witnessed this Friday, last week the US Computer Emergency Readiness Team (CERT) had warned of the upcoming DDoS attacks powered by botnets made of IoT devices. US-CERT predicted more attacks following the public release of Mirai. The prediction has unfortunately proven to be unnervingly accurate.
Friday's East Coast attack paints a scary picture of stronger DDoS attacks in the future. If hackers are able to take down large swaths of the internet whenever they want, our free and open internet as we know it will become more vulnerable to cyber criminals, state-sponsored or otherwise.