Editors' pick: Originally published Oct. 26.
Your refrigerator might have helped bring down the Internet last Friday.
As many users noticed, shortly before last weekend a massive cyber-attack disrupted service to major websites ranging from the New York Times to PayPal and many more. The attack took place in three stages, all targeted at the Domain Name Services (DNS) company Dyn, Inc.
Dyn's business, domain name services, is often referred to as the roadmap of the internet. It's what translates URLs like TheStreet.com into the 12-digit IP address at which websites reside. This isn't because IP addresses are secret (at time of writing, for example, this website's address was 188.8.131.52). They're simply tough for human beings to remember.
When DNS servers go down, like they did on Friday, no websites actually go offline. Instead, they become a whole lot harder to find. It's the difference between burning down a building and ripping up the map.
Friday's attack was a DDoS, or "distributed denial of service" attack. It's when hackers overwhelm a server with traffic beyond what it can handle. It's a brute force method that takes a lot of processing power which hackers often get through zombie networks (innocent computers with a virus on them).
In this case, the attackers used a novel piece of malware called the Mirai botnet, which creates its zombies by grabbing devices from the Internet of Things. Instead of linking together a bunch of infected laptops, the hacker used webcams, thermostats, cell phones and anything else with the ability to get online to generate traffic.
A DNS server is a brand new target and this was a brand new type of attack, and both have huge implications for how the internet can function moving forward.
"When DNS managed service providers are successfully attacked and impacted, then we know the threat landscape has changed," said Ed Cabrera, chief cybersecurity officer for Trend Micro.
"As the global phone book working to resolve millions of domain names requested, DNS is particularly vulnerable," he added. "It represents a logical choke point on the network and if not managed and protected correctly the risk of DDoS attacks increases exponentially, specifically with these types of attacks that leverage millions of IoT [Internet of Things] devices."
Historically, DNS services have been safe primarily, because no one considered them worthy targets. They tend to contain little sensitive information and even hackers rely on them for a functioning internet.
Calling them "by nature open to the public," a threat analysis put out by the Pinkerton's agency in the wake of the attack reminded users that DNS servers "typically have little to no cyber security, and instead, rely on the need of the service as protection."
"As a result," the analysis concluded, "DNS servers are easy targets for attack."
This is particularly true for a DDoS attack. Since DNS servers work by accepting and routing general traffic, rejecting connections is almost by definition contrary to the system. Ordinarily, it's still a solvable problem, as system administrators can build in protections such as rate limits, which cut off connections by source and destination. This can deny access to the server from sources showing an unusually high amount of traffic, such as zombie bots.
As Cabrera said, "the Mirai botnet threat changes all that."
By using third party devices on the Internet of Things, the hackers were able to assemble a zombie network out of hundreds of thousands of devices. One estimate suggests that over half a million individual peripherals were seized by the malware and used in Friday's attack. And this isn't the first time an Internet of Things attack has been test driven. Last month the website of security expert Brian Krebs was brought down by the power of i-lightbulbs, wristbands and cameras in one of the largest DDoS attacks ever recorded.
Mirai and its tactic has changed the landscape by opening up a truly vast number of vectors for future attacks. While a single device spiking the network can be identified and isolated as a bad actor, it's far harder to isolate the bad actors in a flood of seemingly-independent requests
And this is a huge problem for consumers moving forward, because right now, the only way to combat an internet of things attack is by securing the devices themselves and that won't always be easy. Consider, for example, precisely how often you'd like to update the firmware on your thermostat.
Now multiply that across every connected device in your home, and all the ones that companies like Apple and Google want to install there. It could easily become a full time job, or a blank check for companies to add just about any software they want.
"By 2020," said Peter Tran, senior director with RSA Security, "the number of internet connected devices is estimated to grow to over 50 billion. Driving visibility, monitoring and analytics to these devices and their environments is paramount in early detection."
"The Dyn DNS attack proved that IoT is increasingly becoming the new attack surface blind spot, and the instrument for hackers and cyber criminals to leverage in gaining a larger foothold for intrusion."
And it's not just about short-term disruptions to access. While DDoS attacks are, in themselves, often more vandalism than hacks, they can often be the first stage of something much more sophisticated.
"Any tool in a cyber threat actor's tool box can be used alone or in conjunction with other tools and tactics," Cabrera said. "They are only limited by their imagination. DDoS attacks have been linked to other data breaches to serve as diversionary tactics to draw the attention of incident responders and to hide exfiltration activity."
Breaches at companies such as Sony and many banks have been preceded by denial of service attacks, as the spike in cross-network activity can (among other tactics) be used to mask unauthorized access attempts which otherwise would raise red flags.
Friday's attack on Dyn's DNS systems has shown a frightening vulnerability in the internet and the infrastructure built around it. Perhaps more worrying, though, is the discovery that increasingly ordinary, household items were behind the attack. The Internet of Things is growing at an incredible clip and keeping all of those devices secure will be an enormous job, much of which will fall on the shoulders of ordinary consumers.
But the alternative is even worse.
"Internet infrastructure as a whole was designed without security," Cabrera said. "Cyber threat actors are managing and controlling millions of IoT devices that can attack any internet connected server around the globe. In this day of converged IT/OT networks in critical infrastructure systems there are hundreds of thousands of devices connected to the internet and are vulnerable to these types of attacks."