On Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks caused widespread disruption of legitimate internet activity in the US. Because the attacks targeted the Domain Name System (DNS) that makes sure information requests on the internet are delivered to the right address, a lot of normal activities such as online shopping, social media interaction, and listening to music, were not possible for periods of time. The length of disruptions varied, but in some cases it was several hours.
Here are 10 things it is important to know about the 10/21 IoT DDoS attacks, and others like them.
- The 10/21 attacks were perpetrated by directing huge amounts of bogus traffic at targeted servers, namely those belonging to Dyn, a company that is a major provider of DNS services to other companies. This made it hard for some major websites to work properly, including Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, and the Playstation network. Beyond these high profile sites, it is likely that thousands of online retail operations were disrupted.
- The 10/21 attacks were made possible by the large number of unsecured internet-connected digital devices, such as home routers and surveillance cameras. The attackers employed thousands of such devices that had been infected with malicious code to form a botnet. The software used to crawl the internet to find unsecured devices is freely available. Even though some of these devices are not powerful computers, they can generate massive amounts of bogus traffic to swamp targeted servers, especially if you abuse a large numbers of them at once.
- The DDoS-enabling infections were made possible by the use of default passwords on these devices. Because the default passwords for most devices are widely known, anyone placing such a device on the internet without first changing the default password is, in effect, enabling attacks of the type witnessed on October 21, even if they are doing so unwittingly. Recent ESET research suggests at least 15% of home routers are unsecured (and the total number of home routers on the internet is probably on the order of several hundred million).
- Exploitation of unsecured digital devices on the Internet by malicious code can seriously disrupt daily life and economic activity in America. For example, it is likely that many millions of dollars in online sales were disrupted and revenue lost. Many companies had to divert resources to evaluate the impact of the attacks on their customers and employees and respond accordingly.
- There are some people who are willing and able to seriously disrupt daily life and economic activity in America by means of malicious code. They either don’t care that this negatively impacts tens of thousands of companies and hundreds of millions of consumers, or they are intentionally causing exactly these types of impact. The negative effect on the victims is the same regardless of the motives and intent of the attackers.
- Reducing the likelihood of future disruptions of this nature involves, among other things, convincing those who would abuse internet-connected digital devices for their own ends that this is a bad idea, while reducing the number of devices that can be abused.
- Reducing the number of internet-connected digital devices that can be abused is an achievable goal, one to which many members of society can contribute. Here are five tips for securing home routers that we published in 2014. Here are the top four actions recommended by US CERT in the wake of the latest attacks:
- Ensure all default passwords are changed to strong passwords. (Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.)
- Update IoT devices with security patches as soon as patches become available.
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
- Purchase IoT devices from companies with a reputation for providing secure devices.
- Malicious code infecting routers is nothing new, as this ESET research, reported in May, 2015 clearly demonstrates. The advice to change the default password on home routers and other internet-connected devices is definitely not new and has been reiterated many times. In 2014, We Live Security highlighted the discovery of 73,000 security cameras with default passwords.
- What is new is the massive scale of the DDoS attacks that are made possible by unsecured internet-connected devices, the vast Internet of Things. This does not bode well for IoT, which has already attracted criticism from privacy advocates concerned about the security of personally identifiable information handled by IoT devices. Indeed, a recent survey revealed that 40% of Americans are not confident that IoT devices are safe and secure, with more than half of those surveyed indicating they were discouraged from purchasing an IoT device due to cybersecurity concerns.
- What is the bottom line on the 10/21 IoT DDoS attacks? I think it is this: we have been shown just how vulnerable the internet, which is now an integral part of the critical infrastructure of the US and many other countries, is to disruptive abuse conducted at scale, by persons whose identity is not immediately ascertainable. Until this vulnerability is addressed, it will cast a serious shadow over the future of connected technology, a future in which much hope and massive resources have already been invested.
Author Stephen Cobb, ESET