Like poor John Hurt’s character in Alien, the internet is infected with a monster that turned on its host. Instead of using the network to send propaganda videos, or dump emails, or destroy centrifuges, Friday’s attack harnessed thousands of connected devices to take down parts of the internet itself.
The basic pattern of a DDoS attack is nothing new: an attacker uses malware to recruit internet-connected computers into a globe-girdling robot army, which upon command overwhelm their target with unwanted requests. What’s changing is the tremendous growth in the Internet of Things, or IOT, the devices — from PCs to home routers to smart refrigerators — that we attach to the net. Far too many of these are installed with widely known factory-default passwords or other vulnerabilities, making them easy recruits for bot armies.
“The volume of DDoS attacks has more than doubled over the last 18 months. It’s now approaching 650 gigabytes a second. That’s only possible because they’ve been recruiting IOT devices,” said one government official with direct knowledge of the attack. “We need to have a deliberative conversation about baking in security as much as possible into Internet of Things devices.”
On Friday, at a signal from an as-yet-unknown party, thousands of internet-connected devices began sending waves of data at Dyn, one of the domain name server, or DNS, companies that link the internet’s backbone to the human-readable web. Hundreds of websites, including Twitter, the New York Times, Reddit and Amazon, went down for hours.
And yet this is likely just prelude to even larger attacks, said Chris Finan, a former White House cybersecurity advisor who now runs Manifold Technology, a cybersecurity firm.
“The way that they directed this at core infrastructure, there’s no reason they couldn’t scale this to a much broader attack,” Finan said. “The websites that they have taken offline today is still not the majority of what business uses in the U.S. If this was broadened, it could be crippling to businesses.”
Finan, who served from 2011-12 as the White House’s director for cybersecurity legislation and policy, said DNS vulnerabilities had always been “a concern.” But the overwhelming attacks made possible by huge sales of poorly secured IOT devices? “That is not the sort of thing that was appreciated as a near-term risk,” he said.
But the past month has brought warnings that this kind of thing was coming. In September, a record-breaking DDoS attack took down the website of cybersecurity researcher Brian Krebs. On Oct. 14, the Department of Homeland Security issued a warning that more such were coming. Cybersecurity expert Bruce Schneier even wrote about signs that someone — perhaps even a nation-state — was systematically probing for ways to take down the internet.
The good news is that internet service providers are learning to work with some of the big cloud-service companies to block the bots and restore access. “Clouds see more of the traffic” and can figure out where it’s coming from, the officials said. “That doesn’t mean [the attackers] won’t pick some new address range.”
In other words, service providers and bots are in trench warfare.
A new kind of cyberwar
The internet has long been a tool of groups seeking to sow discord or further their security interests. Think of the Islamic State, whose YouTube propaganda videos helped take Mosul with far fewer attackers than defenders. Or of Russia, who orchestrated the publication of emails stolen from the Democratic National Committee in an attempt to influence the U.S. election. Or even of the Stuxnet worm that destroyed Iranian centrifuges.
But worrisome as those activities all may be to the U.S. security establishment, they all still respect the fundamental system; they’re using the internet, not attacking it. It’s the latter that concerns the director of the U.S. National Security Agency, Adm. Mike Rogers.
“What happens when non-state actors stop viewing the internet, the World Wide Web, as a communication mechanism, as a mechanism to coordinate, as a mechanism to generate revenue, as a mechanism to spread their ideology and recruit, and they start viewing it as a weapon system?” Rogers said in Washington, D.C., last month.
Rogers was focused on non-state actors, like ISIS, that have little to “no interest in sustaining the status quo,” unlike nation-states that believe “there’s some benefit from the broad structures we’ve put in place to ensure stability over time.”
On Friday, NBC News cited a senior intelligence official as saying that the attack did not appear to be state-sponsored. yet others speculated that Russia was conducting a test run for disrupting Americans’ access to news on election day.
The FBI will head up the investigation into exactly what happened, and they have not yet named a culprit and no hard evidence has come to let yet naming an actor.
The official who spoke with Defense One said it had hallmarks of a government-sponsored effort.
“The comprehensiveness of this and the coordination of this indicates that this is probably nation-state backed, whether they are doing this themselves or someone else is doing it is unclear,” said the current official. “If you ask me to bet, I give it a 55 to 60 percent chance” it was Russia. “But there are other countries that would love to inflame the relationship between Russia and the United States and this is the perfect way to do that.”