On Friday, October 21st, 2016, hackers began a series of Distributed Denial of Service (DDoS) attacks against one of the largest providers of Internet services in the country.
All told, there were three separate DDoS attacks against cloud based Domain Name Service (DNS) provider Dyn, beginning early in the morning on the east coast, with a second attack extending to the west coast around noon and a third and final wave hitting in the late afternoon.
Dyn described the attacks as “well planned and executed” and explained that the attacks were evolving even as they were working to combat them.
Some of the Internet’s biggest destinations were effected by outages, including Twitter, Reddit, Box, Github, CNN, Playstation Network, Paypal, Spotify, Yammer, Kayak and many, many more.
While we don’t know much yet, security experts like Bruce Schneier don’t believe this was a government sponsored attack. What experts do believe, however, is that the attack was enabled by a new, and highly dangerous hacking tool called Mirai.
So what does this attack mean to you and your company, beyond yesterday’s attacks? Before we examine that, let’s take the 90 second course on DDoS, DNS and why Mirai is so dangerous.
DDoS, DNS and Mirai
Yesterday’s outage, as we’ve said, was caused by a Distributed Denial of Service attack, or DDoS, against a DNS provider. It’s important to understand those two things so that you can comprehend the threat Mirai poses.
First, let’s look at the Domain Name Service, or DNS. DNS is an important element in the base architecture of the internet. Think of every domain out there as being a house on a street. Every house has an address, and the name of the person that lives there. Now, imagine you want to visit someone, and you have their name but not their address. The DNS is like a directory that can send you to the right house based on the name of the person you want to visit.
Without that directory, you’ll never find the address of the house you want to go to with only the name of the person that lives there.
Let’s carry the analogy a bit further. Let’s say that there are only a few copies of that directory. To find the address you need, you must stand in line to read it. Normally, that’s not a big deal. But what if when you get to that directory you see a huge line in front of you. You must queue up behind millions of others, all trying to access the directory. Many people would “time out” – they would leave the line long before they got anywhere near it.
What if all those people, standing in line in front of you, are only there to keep others from looking at the directory? That’s a DDoS – when lots of requests for the DNS directory happen only to keep other people from getting anywhere near it.
In the past hackers have used viruses to compromise computers across the internet to execute these kinds of attacks. But to launch an attack in this way they would have to gain control of millions and millions of computers.
But now, Mirai is on the scene. The source code for this tool was just released last month, and it’s going to make large DDoS attacks like yesterday’s easier to execute. Why? Because of the volume of internet connected devices it can compromise, and quickly.
Mirai doesn’t just compromise your computer. Instead, once it gets on one computer on a network, it then proceeds through the network to all the internet connected devices that machine is linked to, including all the smart devices in a home.
So, if, for instance, you have a couple of computers in your house, a cable TV box, a CCTV camera with Wi-Fi, and an internet connected thermostat, and one of your computers gets infected, your single home has now provided 5 different points that hackers can control to launch an attack from.
Thanks to the rapid adoption of Internet of Things devices, hackers can compromise far fewer computers to have an exponentially larger attack volume.
What This Means in the Enterprise
With the growing reliance on SaaS and PaaS applications in the enterprise, being unable to access your applications in the cloud means a grinding halt to your business during a DDoS attack, not to mention your own resources, like your website, becoming inaccessible.
At this point, there are two things companies can do to try and maintain continuity during massive attacks like yesterday’s.
First, be vigilant with your computer security standards. Make sure you’re following best practices and mandating security scans to keep your network from becoming part of the problem.
Second, be sure to have a contingency plan in place for business operations in the case of an outage. Are there applications that can be used locally while your SaaS applications are unavailable? Do you have an internet outage as part of your disaster recovery plan? Is your team trained on it? If not, it’s time to fix that situation. We’re more likely to see attacks like this increase in the months to come, and having your business at a complete stand still for hours is money lost.