Friday, October 21 will long be remembered as the day the Internet of Things crashed.

In the last thirty days, we’ve seen a number of DDOS attacks, each of which has been larger than the prior. The attack on Dyn, (a managed DNS service), was the largest yet, both in ferocity, as well as impact (Dyn’s customers include the likes of Twitter, Netflix, Phizer, SalesForce, T-mobile, LinkedIn and more).

While many have speculated that these highly sophisticated DDOS attacks  – which leverage the accessibility to millions of insecure devices (video cameras, baby monitors, etc.), known as the Internet of Things – must have its roots within a Nation State, no attribution for the Dyn attack has yet been possible.  The New York times reports that the FBI and DHS are examining the Dyn attack to determine attribution, be it criminal or nation state.

Can DHS or FBI do something?

Yes, they can.

They are investigating the Dyn DDOS and working to sort out attribution. It will be difficult given that all of Dyn’s datacenters (18) were hit by the DDOS which involved 10’s of millions of IP addresses.  DHS Science and Technology Cyber Security Division has entered into a number of contracts with various entities (valued in the millions of dollars) to create a DDOS Defense.  The fruits of their labor can’t come soon enough, as the DHS notes, “All organizations that rely on network resources are considered potential targets.

The FBI has been directed, per Presidential Policy Directive 41 (PPD-41) to work with DHS and the Director of National Intelligence in the face of cyberattacks impacting the networks in the United States. The FBI is the lead agency for responding to cyber incidents. Though many media outlets push the nation state theorem as controlling the hand on the DDOS attack, no evidence has evolved to support such. We may expect the FBI to be tight-lipped on the attribution, until such time as the individual(s) or entity(ies) behind the attack have been identified.

What is a DDOS?

A DDOS attack has one purpose – to deny access to a service, to make it unavailable. It is accomplished by overloading the bandwidth by sending ever increasing amounts of queries, causing the recipient’s server(s) to be overwhelmed and not accessible.

Dyn DDOS

Dyn stated their managed DNS infrastructure US-East region was interrupted from 11:10-13:20 (UTC) and that a second attack against the managed DNS platform, of a more globally distributed manner from 1550- 1700 (UTC).  Dyn notes that others no doubt saw and experienced spikes in latency globally.  To their credit, Dyn not only was on top of the incidents, Dyn continued to provide publicly available status updates as they mitigated the onslaught of DDOS attacks.

Prior DDOS of similar nature

Late-September 2016 French-based hosting provider OVH experienced what was then a record breaking DDOS attack.  OVH advised that the attack used 145,000 connected Internet of Things devices to pass simultaneous requests, reaching a volume of one terabit per second. The target of the attack was the websites hosted by OVH, not OVH itself, and affected internet users from the Southern European countries.

In mid-September 2016 noted cyber security investigative journalist Brian Krebs, of the website Krebs on Security, experienced a then record breaking, DDOS attack which was sustained for several hours. It also used the insecure devices within the internet of things.  Krebs ultimately took his website down until he could arrange and put in place a mitigation service to thwart future attacks. Attribution has not been confirmed, but suspicion is that supporters of an individual arrested as a result of Kreb’s good works were behind the attack.

Can anyone launch a DDOS leveraging the Internet of Things?

Sadly, the answer is yes. One does not need nation state acumen. Indeed, the source code for the internet of things botnet, called “MIRAI” has been released into the hacking community. According to Krebs, the malware spreads to vulnerable devices by continuing scanning the internet of things systems/devices protected by factory default or hard-coded usernames and passwords. Once identified the devices are then seeded with the software needed to make them into bots which can trigger looping requests to specific IP (internet protocol) addresses.

What can you do?

If you have devices which would fall into the rubric of the Internet of Things, and are connected to the internet, change the credential which allows you access – the password. If the password is hardwired, and the device is accessible via the internet, that your device is a candidate for manipulation and compromise and could be a part of the next DDOS attack.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of securelytravel.com