Written by Tianyi Lu, Senior Systems Engineer- VirtualArmour
As we continue our path towards 40 to 50 billion Internet-connected devices in 2020, there is a looming threat of malicious use cases for all of those “always-on, always-connected” machines. That threat was widely realized by the general public two Friday’s ago when major sites like Netflix, eBay, Twitter, and PayPal all experienced major disruptions. However, it was not the first time a DDoS of epic proportions propagated by IoT devices occurred; about a month earlier, krebsonsecurity.com experienced a record 620 Gbps of DDoS traffic. The same code used on IoT devices which wreaked havoc on Brian Krebs’ security blog was also the culprit of the latest, but much more widespread, disturbance.
The malware, known as “Mirai”, works by compromising internet connected devices like microwaves and lights with default factory usernames and passwords. Unlike a computer, they are not easily changeable or are permanently hard-coded. Once infected, Mirai instructs the IoT devices to send TCP/UDP packets with a destination port of 53 (DNS), targeted towards Dynamic Network Services, better known as Dyn.
First, the attacks focused on Asia Pacific, South America, Eastern Europe, and US-West regions, but then abruptly shifted to the US-East region. Ironically, it was later discovered that the target of the attack was Sony’s PlayStation Network, one of Dyn’s customers, but because of the internet’s reliance on DNS, all of Dyn’s customers were affected. To make matters worse, due to DNS retries, legitimate DNS requests (because Dyn’s DNS servers were unreachable due to being too busy processing all the illegitimate traffic) further added to the strain on the system. Eventually, Dyn brought on all their DDoS scrubbing services online, applied traffic-shaping on the inbound traffic, rebalanced traffic by manipulation of any cast policies, and applied edge filter policies and was able to mitigate the attack. Post-mortem analysis by Dyn suggest approximately 100,000 malicious endpoints contributed to the attack (down from the several million originally thought to have caused the attack due to the legitimate recursive DNS retry traffic mentioned above). There have been some reports of a magnitude in the 1.2 Tbps range, although this figure was not officially confirmed by Dyn.
This attack, like the various breaches at Home Depot, Target, and Sony, once again highlight the importance of InfoSec practices at any organization. Furthermore, because of this attack’s far reaching scope, it also brings to light how truly vulnerable the internet infrastructure that we often take for granted. Core protocols like BGP and DNS that we so heavily rely on were created in a completely different era; an era where Information Security didn’t even cross peoples’ minds. Those were truly days’ past.