A successful DDoS attack blocked user access to many popular websites, including Netflix, Spotify and Twitter, last Friday. Security researchers believe that thousands of compromised IoT devices could have been involved in the attack.
The distributed denial of service (DDoS) attack was repeatedly targeted at Dyn, the domain name service (DNS) provider, throughout the course of Friday, resulting in website outages from the East coast of the U.S. to Europe and other parts of the globe. According to a statement from Dyn, the source of the attack is being investigated but it was a sophisticated, highly distributed attack involving 10s of millions of IP addresses.
The growing power of DDoS over IoT
Dyn’s chief strategy officer Kyle York has revealed that its servers suffered from three separate attacks. DDoS attacks occur when systems are overwhelmed by traffic from numerous sources. On this occasion, it is believed the attack came from Internet of Things (IoT) devices, such as routers, security cameras and computers, which blocked Dyn servers. However, as Sophos research scientist Chester Wisniewski points out in his blog, this is speculation.
Dyn has also confirmed that one source of the traffic were devices infected by the Mirai botnet, a new malware that was used to take down the website of independent cybersecurity journalist, Brian Krebs, earlier this month. The source code for Mirai was made public shortly after that attack, making further DDoS attacks increasingly likely.
Dyn continues to investigate the root cause of this attack, and the White House has said the Department of Homeland Security is also part of the investigation. Since Friday, the Mirror has reported that hacktivist group, Anonymous, has threatened a further DDoS attack, though the group’s Twitter handle seems to suggest otherwise:
What does this mean for enterprise IoT adoption?
While not being able to access Twitter is largely trivial for most people, should this kind of attack hit the enterprise it could cause immense damage.
Chris Sullivan, general manager of intelligence at Core Security, suggests the real damage to corporates, nation states and defense networks is yet to come.
“The really frightening part of this is not that we will be struggling with these new attacks for some time, but that the underlying weakness which makes them successful can and will be used to unleash more serious attacks that steal credit cards and weapons designs, manipulate processes like the SWIFT global funds transfers, and even destroy physical things the 30,000 PCs at Saudi Aramco,” he said in an email.
Gartner has predicted that more than 20 million connected ‘Things’ will be in used globally by 2020. That’s 20 million devices that hackers may be able to use against the companies or people using them; it’s a massive security headache for businesses and may stem IoT adoption.
Brian Honan, CEO of BH Consulting, thinks “we may have reached a tipping point where Governments must now look at regulating minimum cybersecurity and data protection standards that all devices must adhere to.”
“The overall security and safety of the Internet is now more important than the worries of stifling innovation or putting legal responsibility onto vendors. For many of the items we use today, for example electrical equipment, there are minimum standards these need to adhere to in order to be made available to individuals and companies. We need a similar approach now to computers, apps, and software.”
According to Chris Sullivan, “What is required now is the deployment of systems that don’t try to control the IoT devices but rather watch and learn how they behave so that we can identify malicious activity and isolate them when necessary.”
Either may be the case but, according to Wisniewski, there is not yet a consensus on how to tackle IoT device security.
Updated: Dyn has since released a statement with further details of the DDoS attack. The statement confirms that the Mirai botnet was the primary source of malicious traffic, but the company estimates that as many as 100,000 malicious endpoints were involved. Dyn continues to conduct analysis and an investigation of the attack, and says it will share its learnings with infrastructure providers who may face similar threats.