(Falls Church VA – October 27 2016) Written by Sadiyq Karim, Vice President of Cybersecurity and Chief Technology Officer
The Internet outage experienced on Friday October 21st exposed the fragility of the basic building blocks of how we surf the web. The friendly names we use to access web sites like Amazon, Twitter, Netflix, and others are all part of an underlying Internet technology named Domain Name System (DNS), which traces its roots back to the U.S. Department of Defense ARPANET era during the late 1970’s. Back then each computer had to maintain a simple text file which mapped numerical IP addresses to friendly text names people could remember. It didn’t take long before that model proved to be too slow and not scalable so DNS was invented as a way to centralize these mappings in a way everyone could share.
Today, DNS still provides that critical mapping service but on a scale larger than its inventors probably imagined. In 2012 Google’s Official Public Blog indicated the company was servicing 70 billion DNS requests per day https://googleblog.blogspot.com/2012/02/google-public-dns-70-billion-requests.html . Open DNS, a free DNS service, shows between 70 billion and 100 billion DNS request per day (https://system.opendns.com/) , that’s just for one DNS provider. Fast forwarding to 2016, companies like Dyn offer robust DNS management services for organizations by allowing them to offload DNS requests from their internal infrastructure while provide global load balancing and other performance enhancements. Dyn promotes their DNS service for Internet Performance Management with the tag line “Manage the internet like you own it with the world’s best DNS” http://dyn.com/dns-for-ipm/ . With DNS providing the critical translation services for Internet users and the volume of DNS queries on the Internet on a daily basis it becomes clearer why attackers would target a DNS provider to generate a large scale Internet outage.
The personal and political motivations of why people would undertake such an endeavor are numerous. At a minimum these type of attacks make a clear statement: the Internet is fragile and its operation can be disrupted at any point in time. It’s been sometime since we last saw a large scale Distributed Denial of Service (DDoS) attack on the Internet. Over recent years cyber hackers have made a living exfiltrating data from companies and using it to extort monetary payments or expose hidden secrets. On the surface the Dyn attack may have just seemed like a disruption in service but based on the websites affected it’s clear it cost companies doing business on the Internet monetarily as well. One can only imagine how many orders Amazon may lose if access to their site is down or disrupted over a two hour period.
The Dyn attack is said to have involved millions of so-called bot-net devices. These are compromised devices on the Internet under the covert control of hackers. This attack was unique in that it is said to have exposed the Internet of Things (IoT) and the ability of hackers to use devices like web cameras, broadband devices, and other commodity Internet devices to generate the amount of traffic need for a large scale disruption. To put this in context a global DNS provider can anticipate the amount of traffic their DNS service must accommodate on a daily basis and plan accordingly for future growth based on historical precedents and empirical evidence. We know from some of the metrics quoted in this article DNS requests for a single DNS provider can easily reach 100 billion per day. Likewise, attackers can calculate the number of requests needed to overwhelm a DNS infrastructure by simply generating a factor of requests large enough to exceed a single provider’s infrastructure. The Dyn attack is said to have used the Mirai malware. This malware was specifically designed to target consumer devices like web cameras and home routers. Interestingly enough, in early October 2016 reports emerged of the release of the source code for the Mirai malware on the Internet (https://techcrunch.com/2016/10/10/hackers-release-source-code-for-a-powerful-ddos-app-called-mirai/). Once source code like this is released it can take as little as a few hours for accomplished hackers to easily expand its capabilities and put it to use. Each bot-net computer can generate multiple DNS requests and the attack. In Dyn’s blog post the company was quoted as saying, “we observed [tens] of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack”. http://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html That figure should raise everyone’s eyebrows as it indicates that attackers had tens of millions of Internet devices infected and under their command and control.
While the FBI investigates this attack, and many others being reported on across media, one implication is clear, Internet users probably won’t be surprised next time they type in their favorite URL and there is no response.
Copyright 2016 Network Security Systems Plus. All rights reserved.