Beginning early in the morning of Friday, October 21, 2016 we all witnessed a stark glimpse of the Internet of Things to Come, along with a clear warning to pay attention to every device you connect to the Internet, and how its connected.
What Happened?
What happened is called a Distributed Denial of Service (DDoS) attack, with ‘distributed’ meaning that the millions of attackers involved were distributed all over the place, and participated unwittingly.
The New York Times covered the event in an article called “A New Era of Internet Attacks Powered by Everyday Devices” reporting, “The attack on the infrastructure of the internet, which made it all but impossible at times to check Twitter feeds or headlines, was a remarkable reminder about how billions of ordinary web-connected devices – many of them highly insecure – can be turned to vicious purposes.”
Devices cited include internet-connected cameras, cars, refrigerators, switches, thermostats, and other devices.
Sites impacted include Netflix, AirBNB, Reddit, Etsy, GitHub, Shopify, Twitter, The New York Times, Amazon, Spotify, Tumblr and more.
How Did They Do It?
To get an idea about just how vulnerable all of the internet-connected things mentioned above communicate using a communications protocol called RPL which stands for Routing Protocol for Low Power and Lossy Networks (yes, an acronym nested within an acronym.) Most of these devices are incredibly easy for cybercriminals to connect to and take control of. Each device appropriated gives the attackers another Internet Protocol (IP) address to attack from.
According to Dyn, the company that was actually attacked, “…this was a sophisticated, highly distributed attack involving 10s of millions of IP addresses.”
Dyn provides Domain Name Service (DNS) to about 1,200 major customers including those listed above. DNS is the service that translates a web name such as https://www.synoptek.com to its actual IP address. Without DNS, web users could not access the affected websites for hours because nothing was available to translate names to numbers.
The 10s of millions of devices exploited by the cybercriminals all began simultaneously pummeling the Dyn services with requests, so many that the servers were completely overloaded and could not respond to actual requests, thus a complete denial of service to real web users. The companies behind each of the impacted domains were also rendered unable to perform many daily operational functions as well.
Impacts of these attacks, there were actually three of them during the day on Friday, were felt all over the world and well beyond just Dyn’s customers. Because DNS involves interaction and sharing between servers all over the world, shutting down a large chunk of that exchange caused far-reaching outages and damage.
Am I Vulnerable to DDoS Attacks?
In a word, yes. Everyone is.
What Can I Do About It?
The first line of defense against having your internet ‘things’ exploited lies in how you select those things. It may incur more expense, but your long-term best interests are served by selecting and integrating only those devices that are more robustly configured with greater security features. For example, to keep costs down many manufacturers hard-code a common password such as “admin” into the management interface for their things, making them extremely easy to exploit.
With new “zero-day” exploits being introduced all the time, it is crucial to patch and update anything attached to the internet regularly to protect against them. Select only devices that offer a regular updating service.
Engage an Expert Guide to the new IoT World
If we’ve learned anything from Friday’s attack it’s that it is far easier to mount a DDoS attack than it is to prevent them. Engage experts to help you select the ‘things’ you bring to the IoT, and to implement safeguards that will detect and deter large volumes of data suddenly coming from unknown IP addresses. It is projected that 10s of millions more devices will soon be added to the Internet, making it even more complex. The sooner you begin preparing, the more prepared you will be.