What Happened?

ICYMI: There was a massive cyber attack last Friday (10/21/2016).  The DNS company DYN which provides DNS service to a gigantic section of the internet was under DDoS attack. This attack brought down sites like Twitter, Reddit, GitHub, Amazon, Tumbler, PayPal, and more.  In my opinion, even though it is a very bad thing they used a pretty neat trick to make it happen.

The Basics

What is DNS and how does a DDoS attack work?  DNS stands for Domain Name Service, and essentially it is the backbone on any network (inter and/or intra).  What this service provides is a way to translate IP addresses (any device connected to a network) to a human-friendly name. For instance, mdtechteam.com translates to the IP address 173.254.28.124.  Think of DNS like a phone book, on 1 side you have the First and Last Name of the individual you want to contact and on the other side you have the phone number to contact them.  DNS works in the same fashion (obviously, this is very high-level explanation and there are many more details on how DNS works).  So what is a DDoS Attack, I really loved how digitalattackmap.com explained it:

“A Distributed Denial of Service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. They target a wide variety of important resources, from banks to news websites, and present a major challenge to making sure people can publish and access important information.”

So now that you know what DNS and DDoS are, let's talk about how “they” (Not sure who they are just yet as they have not been able to identify who started the attack) brought down DYN.  Normal defensive against a DDoS attack would be to identify the machines creating the traffic and simply block them from accessing the servers IP address.  As you can imagine you need a massive amount of traffic in order to overwhelm the DNS server.  What made this attack unique and pretty damn awesome (and scary) at the same time, is that they used what are known as IoT (Internet of Things) devices.  These devices are like your smart TV, IP-based security cameras, web-connected thermostats, essentially ANYTHING that has an internet connection!

How did they do it?

Sometime last month, the source code for a malware called Mirai was released.  This source code allows people to specifically go after IoT devices that have not changed their default security settings or have low level security on them and create botnets.  These botnets can then be used to target certain networks.  Here is what Brian Krebs (security blogger from krebsonsecurity.com) had to say about Mirai:

"Mirai scours the web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users."

How crazy is that!!! Literally “smart” devices that we thought would make our lives easier are being used for an attack that you may of not even known about. 

Now before you go throwing your devices away or taking a bat to them like in office space, know that not all smart devices were created equally.  The majority of the IoT devices that were used came from a Chinese company that makes IP-based security cameras.  They are the manufacturer and often sell to companies as a white labeled product.  After the attack on Friday the Chinese Company XiongMai started a product recall after it discovered its security cameras were part of the colossal mess.

Now that we know this is possible, how do we prevent it?  First, start off by always changing the default password to your new devices.  I don’t care if its a router, a coffee machine, your nest thermostat, CHANGE THE PASSWORD.  Most reputable companies make it required to change the password during setup, however, there are some that don’t. For protecting your website make sure that you are behind a firewall.  It could be a WAF (web application firewall) or a cloud proxy firewall or BOTH!  This way you can log any suspicious events and know where they are coming from so that you can permanently block them from happening again. 

Get your tin hat ready as it is more than likely a similar attack will happen in the future.

If you would like more information on how to protect your website, fill in the form below and we will gladly walk you through it.