Yes, hackers are trying to bring down large parts of the internet

Back in September, Bruce Schneier wrote about hackers probing the internet for points of weakness, in an attempt to have the ability to take the Internet offline:

I saw a lot of people blow that article off, as unrealistic.

It’s realistic. People have tried before, trying to denial of service attack the root DNS servers — the yellow pages of the internet — and failing. Those servers are very well protected by a wide variety of different companies.

What’s happening today is people are explicitly targeting Dyn with denial of service attacks — where a large amount of corrupt data is sent to flood a company offline. Dyn provide DNS services to their customers. Think of DNS as a telephone book, where you type in and get directed to the correct website. Dyn hosts around a quarter of a million websites.

Why this is happening

What has happened over the last few years — ironically, largely due to denial of service attacks, where it is no longer safe or effective to host your own DNS server — so customers have consolidated to professional managed DNS providers.

For example, I know of one managed DNS provider who has over 10 million domains.

Within the past month there was a distributed denial of service attack which totalled over 1000gbit per second of traffic. That volume of traffic is staggering, multiple times bigger than seen previously, and is aiming to become the new normal. It is extremely difficult and costly to defend against — only a small number of companies can do it currently.

Why these volumes of DoS attacks is a problem

There’s many examples, but here is one.

Here’s a graph of undersea cables, connecting the internet together across countries:

On many of these cables, often laid a long time ago (the first submarine data cables were laid in 1850), bandwidth is limited. For example, the LION cable, — owned by Orange — which connects Madagascar, Réunion, and Mauritius, has a maximum capacity of 1280gbit per second — and that bandwidth is divided up between landing spots and providers. We’ve reached the point where attackers can bring down nations, no longer just by cutting cables, but with botnets — collections of hacked PCs and devices like DVR players and cameras.

In this case, it appears people are using botnets to attack DNS nameservers which host a large amount of websites. By private companies consolidating their websites into a small number of DNS providers, it is providing a unique way to attack core internet services.

There are much bigger targets than Dyn

A bigger issue is the attackers themselves. For example, the world’s largest sustained denial of service attack was against the website of Brian Krebs. Akamai, his denial of service prevention provider, opted not to provide service to the website any more due to cost of mitigation. At the time Brian was reporting on a denial of service operation, his work ultimately leading to the arrest of the people who ran it. It was two people, and they were teenagers.

When you have small groups of people with enough firepower to significantly destabilize the Internet — where Western economies are migrating towards — it becomes a situation which is not long term sustainable. Serious action needs to be taken by government and industry. In particular, Internet Service Providers need to seriously look into the kind of traffic they allow out of their network — for example spoofed packets — and governments may need to enforce in law requirements in this area.