Back in September Bruce Schneier, an internationally renowned security technologist, wrote about hackers probing the internet for points of weakness in an attempt to have the ability to take the entire net offline.
A lot of people blew that article off at the time as unrealistic. That was before today’s attacks which temporarily took down some of the biggest names on the internet.
People have tried to do this before, attacking the root DNS (Domain Name System) servers — the yellow pages of the internet — and failing. DNS underpins all our web browsing, the glue that points us to each of our favorite internet websites.
What’s happening today is hackers are explicitly targeting a company called Dyn with denial of service attacks — where a large amount of corrupt data is sent to overwhelm a company. Dyn are a cloud-based Internet Performance Management company, who provide something called “DNS services” to their customers. If DNS is like a telephone book, where you type in Twitter.com and get directed to the correct internet server, Dyn is the host for about a quarter-million of these phone book entries. That’s why big websites like Twitter and Reddit are misbehaving today.
What has happened over the last few years is businesses have consolidated to professional managed DNS providers, ironically in part due to the difficulty in mitigating denial of service attacks. This has created new centralized platforms for hackers to target.
And they are being targeted. Within the past month there was a distributed denial of service attack which totalled over 1,000 gigabits per second of traffic. That’s more bandwidth than many countries have. It’s a staggering volume of traffic, multiple times more than anything seen previously. (In 2015, Arbor networks reported what was then the world’s biggest DDoS attack: 334 gigabits per second.)
This is aiming to become the new normal. It is extremely difficult and costly to defend against — only a small number of companies can do it currently.
These attacks are driven, in part, by the “Internet of Things”—devices such as CCTV cameras and DVRs being directly attached to the internet, with poor security. Attackers are hacking these devices, inside homes and businesses across the world, to create “botnets”—a herd of infected devices, which they can use to launch attacks. Criminals are also selling attacks from these botnets for cheap prices, allowing anybody with a wallet to launch attacks against targets.
There are many examples, but here is one. This is a map of undersea cables, connecting the internet together across countries:
On many of these cables, often laid a long time ago (the first submarine data cables were laid in 1850), bandwidth is limited. For example, the LION cable, — owned by Orange — which connects Madagascar, Réunion, and Mauritius, has a maximum capacity of 1,280 gigabits per second — and that bandwidth is divided up between landing spots and providers. These undersea cables are also extremely busy with day-to-day traffic. Which means, thanks to these new, super-sized denial of service botnets, we’ve reached the point where attackers can bring down nations. ,
In this case, it appears people are using botnets to attack DNS servers which host a large amount of websites. By private companies consolidating their websites into a small number of DNS providers, it is providing a unique way to attack core internet services.
Another issue is the attackers themselves. For example, the world’s largest sustained denial of service attack was against the website of Brian Krebs, an internally acclaimed security researcher and journalist. Akamai, his denial of service prevention provider, opted not to provide service to the website any more due to cost of mitigation. His website is now hosted by Google’s Project Shield, which aims to protect journalists from denial of service attacks.
At the time of the attack Brian Krebs was reporting on a denial of service operation, where two teenagers were selling denial of service “as a service” to anybody who would pay.
When you have small groups of people with enough firepower to significantly destabilize the internet — where Western economies are migrating towards — it becomes a situation which is not long term sustainable. Serious action needs to be taken by government and industry. In particular, Internet Service Providers need to seriously look into the kind of traffic they allow out of their network — for example spoofed packets — and governments may need to enforce in law requirements in this area.
Kevin Beaumont is a Security Architect for a large U.K.-based company, with 16 years of information security experience. This article was adapted from a piece originally posted to Medium.
