Assessing the Damage of Last Week's Powerful DDoS Attack
The damage from last week's distributed denial-of-service attack suggests it was the most powerful to date and it could be a precursor to an even more sustained attack. A bipartisan committee of senators formed over the summer wants answers, but some critics want the government to act more swiftly. The incident also puts a spotlight on the vulnerability of Internet of Things-based components, ranging from sensors on gas meters to IP-connected webcams and thermostats. There are currently 6.4 billion IoT-connected devices in use and that figure is expected to grow to 20 billion by the year 2020, according to Gartner's most recent forecast.
DNS provider Dyn, attacked by the Mirai botnet, was overwhelmed last week by the massive DDoS attack. Dyn is one of a handful of DNS providers attacked last week. The operation brought down or interrupted hundreds of sites last Friday including Amazon, Netflix, Reddit, Twitter and Spotify. It also brought down services that enterprises rely on including Okta's single sign-on cloud service, Box Github and Heroku.
The source is still not known. But according to an analysis by Flashpoint, it didn't have the characteristics of a nation-state attack. The action took advantage of security flaws in IoT-based components provided by China-based XiongMai, which responded this week by recalling millions of its devices. Dyn's EVP of Products Scott Hilton on Thursday described in a company blog post the intensity of the attack, noting that while his team is still analyzing the data, he believes the botnet came from as many as 100,000 endpoints and noted reports that packets were coming at it at a speed up to 1.2Tbps – though that remains unverified at this time.
"Early observations of the TCP attack volume from a few of our datacenters indicate packet-flow bursts 40 to 50 times higher than normal," he stated. "This magnitude does not take into account a significant portion of traffic that never reached Dyn due to our own mitigation efforts as well as the mitigation of upstream providers."
Hilton described it as a complex and sophisticated attack that used targeted and masked TCP and UDP traffic over port 53. It generated compounding recursive DNS retry traffic, he noted, adding that further intensified its impact. Hilton confirmed that the Mirai botnet was the primary source of the attack and that it is working with authorities conducting criminal investigations.
In addition to law enforcement, Democratic U.S. Sen. Mark R. Warner, a member of the Senate Select Committee on Intelligence, who joined Republican Cory Gardner of Colorado over the summer in forming the bipartisan Senate Cybersecurity Caucus, wants answers and issued a statement calling for better protections. Warner called on three federal agencies -- the FCC, FTC and Department of Homeland Security's National Cybersecurity & Communications Integration Center (NCCIC) -- to provide information on the tools available and needed to prevent attacks from flaws in consumer devices and IoT components including IP-based cameras, connected thermostats and other products that that have connectivity. An FCC spokesman said the agency is still reviewing Warner's letter.
In his letter to FCC Chairman Wheeler, he questioned what can be done about the fact that consumers aren't likely to change passwords in their IoT devices (and if it's even an option). One implication was perhaps mandating improved software that enables automatic firmware updates. Warner also questioned the feasibility of enabling ISPs "to designate insecure network devices as 'insecure' and thereby deny them connections to their networks, including by refraining from assigning devices IP addresses? Would such practices require refactoring of router software, and if so, does this complicate the feasibility of such an approach?"
Morey Haber, VP of Technology at BeyondTrust, in a blog post earlier this week, called on Congress to come up with legislation that would put security requirements on all IoT devices. Haber believes the legislation should put the following requirements and restrictions on all IoT and Internet-connected devices:
- Internet-connected devices should not ship with common default passwords
- Default administrative passwords for each device should be randomized and unique per device
- Changing of the default password is required before the device can be activated
- The default password can only be restored by physically accessing the device
- The devices cannot have any administrative backdoors or hidden accounts and passwords
- The firmware (or the operating system) of the device must allow for updates
- Critical security vulnerabilities identified on the device for at least three years after last date of manufacturer must be patched within 90 days of public disclosure
- Devices that represent a security risk that are not mitigated or fail to meet the requirements above can be subject to a recall
Gartner analyst Tim Zimmerman last month called on IT organizations to address these proposed issues throughout all their infrastructure and software. Haber also believes the legislation is critical. "I think last Friday was just a test. I think it was just a huge warning," Haber said. "It was miniscule compared to what could have happened and that could result in huge financial losses and other implications." While praising XiongMai's recall, Haber also warned that "unfortunately, this is just one device of many from door bells to baby monitors that have the same type of problem."
Posted by Jeffrey Schwartz on 10/28/2016 at 7:44 AM