At the beginning of October last year, the Mirai malware was the subject of increasing worries in the ever booming cyber-space, after targeting OVH and Brian Krebs. Hackers are generous gods so they immediately published the malicious source code on an online forum. It was then revealed that the attack on DynDNS was but a bigger, badder version of Mirai, used in this monstrous act to surpass all DDoS records.
Indeed, the number of devices connected to the Internet this time reached the order of hundreds of thousands, well beyond the known limit. Webcams, routers, baby monitors and other such gadgets contributed to the web’s total meltdown in the United States.
With all the craze built around the development of connected devices, we didn’t even realize we had come to witness the creation of something else entirely – our own modern version of Frankenstein’s creature. The negligence of manufacturers, in our case XiongMai Technologies, and the innocence of users have pushed us, without our knowledge, into the role of Victor Frankenstein. But back to the matter at hand. The actual reason these objects were compromised is due to the presence of default passwords.
The latter were being ridiculously easy to recover, XiongMai Technologies was obliged to issue a patch in September 2015, asking users to come up with a new password for their product. As such, the devices that were not updated at this point remained vulnerable.
The cybersecurity guru, Bruce Schneier, announced last month that the future of cyber-attacks is written in IoT botnets: “Somebody is learning how to destroy the Internet” (source: Le Figaro). As long as we do not open our eyes to the actual issue at hand, the danger is here to stay. We have created Internet before the word cybersecurity even existed in the dictionary. We wanted to be the known as the modern Prometheus and now we shall reap what we sow.
The DDoS experiment: a dreaded success
Once this massive hit was launched, the first signs of inconvenience surged on the East coast, to follow down the West coast in a matter of hours. According to the high-tech blog Gizmodo, “half of the Internet” was completely in the dark. Over 30 important websites were impossible to access, such as Twitter, Airbnb, Etsy, GitHub, Paypal, Reddit, eBay and even Spotify. The consequences resonated all the way in France, where websites using the Dyn service also recorded abnormal connection delays according to Dynatrace, application performance expert. “On all 64 websites we were monitoring at the time of the attack, the average connection time of the DNS reached 12 seconds, whereas the normal average is of 0.3 seconds”, explains Dynatrace (source: Le Monde Informatique).
But how can an attack targeting a DNS server cause that much chaos?
The question is obviously rhetorical. By going after the DNS service, cybercriminals rendered inaccessible all the websites indexed by the latter. To make this even more simple, a DNS server allows users to launch a website by using its name and its IP address. If you were to attempt to connect at https://www.twitter.com, the DNS service that you are using is the one in charge of establishing the above mentioned correspondence. Therefore, the 220.127.116.11 IP address becomes the true and final destination of your request.
The image below aims to help you better understand how a DDoS attack can impact a DNS managed infrastructure, whether it belongs to Dyn or not.
As you can see, when trying to connect on Twitter, the impacted DNS service will not be able to make the required correspondence. The result?
Rewriting history with our own hands
In Shelley’s original novel, Victor Frankenstein and his creature both meet a tragic fate at the end. Obviously, we do not wish to follow into their footsteps. But there’s one thing we must keep in mind. If hackers are capable of making the Internet tremble, what else are they capable of?
This recent DDoS experiment only underlines (even more than before) an issue on which people seem to agree upon, yet when it comes to taking action, not that much happens. Éric Freyssinet, botnet specialist, insists upon the necessity of not relying on a single DNS service: “Opting for the services of the provider herein question is not the problem (not everyone has the inside skills required for DNS server management or even load repartition over time). The real problem is that, how can I put this, you shouldn’t put all your eggs in a single basket” (source: Next Impact).
The surprising thing is that sites enjoying a rather less exceptional popularity (such as Reddit) were better prepared in the event of such an attack. By simply implementing cybersecurity best practices, these smaller businesses chose to rely on several DNS providers, instead of just on Dyn.
One more lesson that some will learn only in the aftermath of a catastrophe.
Should we rejoice in the fact that we’ve allowed Frankenstein to reawaken? Absolutely not. The good news is that, before the curtain closes for good, there’s still some time left for us to rewrite the odds in our favor.
Cristina Ion (@_cristinaion_ or @Reveelium_AI) is the Community Manager of Reveelium Inc., a subsidiary of the French cybersecurity provider, ITrust and specialised in behaviour analytics and machine learning applied to the field of cybersecurity.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…