Thoughts on 10/21/16 DDOS
Yesterday’s large scale DDOS attack on the United States’ internet infrastructure will undoubtedly go down as an important milestone in the history of cyber warfare. While much remains unknown, such as the identity of the perpetrator, the facts that have emerged paint a picture of a sophisticated adversary targeting a key piece of internet infrastructure, long considered vulnerable to exploits, with a novel but previously hypothesized technique to achieve scale.
The well-known vulnerability lies in the DNS infrastructure that powers the internet by serving as a directory that translates opaque IP addresses to friendly identifiers such as www.twitter.com, which was one of many sites taken offline yesterday. The New York Times has a good piece describing the attack at a high level. Security expert Bruce Schneier blogged presciently about what appeared to be probing activity for such an attack as recently as last month.
The novel technique involves hijacking IOT devices, specifically IP cameras and DVRs made by a specific Chinese manufacturer, targeting relatively unsophisticated security holes such as default passwords. KrebsOnSecurity has a great breakdown of the attack. While many in the industry have long considered the possibility of such an exploit — leveraging IOT devices to power a botnet — yesterday provided the clearest evidence yet that such a vector exists and can be used to power a highly effective DDOS attack.
Coming as it does at a time when cybersecurity has become such an important issue in US political discourse, the attack is sure to increase tensions between the US and Russia. Although initial claims of responsibility have come from hacktivist organizations acting to protest Wikileaks founder Julian Assange’s loss of internet access inside the Ecuadoran embassy, it remains to be seen if those claims hold up to subsequent forensic scrutiny.
With any luck, today’s attacks will spark renewed discussion about the role of public policy in establishing standards for IOT cybersecurity. General users simply have no way to secure many of the devices that are now connected to the internet, so standards must be established by the public or private sectors (or by the two acting in concert) to ensure that IOT gear complies with a reasonable set of security best practices and baselines. While such standards would provide an imperfect solution at best, they would at least be a first step toward plugging the gaping security holes that this attack exploited so effectively against US infrastructure.