You might have been an unwitting participant in the cyberattack that took down Twitter, Netflix, The New York Times’ website and many others last week. According to cybersecurity analysts, the widespread and highly coordinated cyberattack, designed to disrupt access to several popular websites by overwhelming them with an onslaught of bogus requests, was orchestrated using tens of thousands of poorly secured internet-accessible devices, such as home monitoring systems, digital video recorders and routers.
The assault targeted Dyn, Inc., a company that provides the domain network system (DNS) services that allow users to connect to these websites. By disrupting Dyn’s ability to provide this infrastructure many of these high-traffic sites could not be reached starting in the early hours of Friday morning on the East Coast.
Gaurav Naik, an expert from Drexel’s Isaac L. Auerbach Cybersecurity Institute and an assistant research professor who studies computer network security in the College of Computing & Informatics, suggests that most of the people whose devices were hacked and used in the attack would not have been aware of it.
Naik recently took some time to explain the nature of this type of attack — called distributed denial-of-service — why so many people were affected by this particular one, and why we should anticipate more like it in the future.
First off, can you explain what a DDoS attack is – since we’re seeing the term everywhere now?
Distributed denial-of-service (DDoS) attacks are a family of network attacks that cause websites and other internet services to become unavailable by overloading them with requests and consuming resources needed to serve legitimate requests. Typically, insecure computers on the Internet are compromised — via malware and viruses — and then commanded to unwittingly participate in the attack. These compromised computers form a botnet that is under control of the attacker.
DDoS attacks have been around a while, and it seems that sites have become better at handling them. Why was this one as successful as it was at shutting down these sites?
DDoS attacks have been around for a long time, and there are many techniques to fight them. However, it comes down to the defender’s ability to cope with the size of the attack. If the attackers have more bandwidth available to them then the website has to mitigate the attack, then they win. In this case, the sophistication and size of the attack was unprecedented.
Dyn, Inc., the company targeted in the attack, has reported that the attack involved tens of millions of individual devices and that one of the sources of traffic was a large botnet of compromised Internet of Things (IoT) devices. Instead of computers and laptops, this botnet is comprised of devices such as cameras, digital video recorders and routers.
Explain what Dyn, Inc. does, why was it a particularly desirable target for these hackers?
Dyn provides a core internet infrastructure service called Domain Name System (DNS) for many of the websites affected. There are many companies that offer this service and Dyn is one of the more popular ones. DNS is an essential component of the Internet and is responsible for translating names like “www.drexel.edu” into Internet Protocol (IP) addresses. Anytime you visit a website or click on a link, your computer does a DNS look-up to find the IP address of the server for that website. Without the IP address of the website, your computer is not able to reach the server. By attacking Dyn, the attacker was able to take offline DNS capability for many popular websites that rely on Dyn’s services.
Why did the outages start on the east coast and spread?
The attack came in three waves, the first wave hit Dyn’s East Coast DNS infrastructure. Dyn’s network is architected so your computer will try to reach the closest DNS server to you. Subsequent waves attacked Dyn’s infrastructure in other parts of the country.
If the vulnerability in the security of internet-connected devices — like home routers, cameras, home control/monitoring systems — how could these networks be better secured? Is their security dependent on the diligence of the end-users who set them up?
One of the sources of the attack was a botnet compromised of internet-connected devices or Internet of Things. Much has been reported about the security of the IoT, and the software used to build the botnet used in this attack was actually very simple. They scanned all the hosts on the Internet to find devices that still used the factory-set default passwords. While most people change default passwords on new devices, some devices are not set to prompt users to change them during the setup process. In addition, some of these devices are compromised by bugs in their software.
Unfortunately, the process of updating the software on these devices is not straightforward or in many cases fixed software may not even be available if the product is older. This insecurity exists because the device manufacturer doesn’t need to issue a fix, they are making new products and the user may not even know that their device is compromised. In most cases the device continues to operate as normal.
How could a person tell if his or her device was accessed and used in the attack?
The user can review the logs on the device, or look at the traffic leaving their network, but most of these techniques are not user-friendly. In general, if you still have the default password in place your IoT device has been, or will be compromised. This is especially true if that password is the default password for every device sold and hasn’t been changed during user setup.
Service providers, such as Comcast, do have ways to notify users that their networks are part of botnets. Comcast customers can go to this website from their home network to find out: https://amibotted.comcast.net
With the increasing popularity of internet-connected devices, how can something like this (or worse) be prevented going forward?
Many members of the cybersecurity community are advocating for government regulations on IoT manufacturers or some type of industry certification that consumers can see as a mark of trust — for example, an Underwriters Laboratories (UL) for the internet.
For media inquiries, contact Britt Faulstick, assistant director, media relations, firstname.lastname@example.org or 215-895-2617.