Kirk Klasson

Revenge of the Thingies…

With the Dyn’s DDoS attack, the future of IoT just got much more daunting.

About a week ago, somebody, who remains at-large, launched an exploit of Internet of Things devices that deprived numerous users access to several prominent Internet sites. This type of denial of service attack was not new; in fact, prescriptions to remedy it are nearly as old as the Internet itself. What was different this time was the use of passive Internet connected devices and appliances to amplify the intensity and efficacy of the attack.

A Halo Connection?

The motivation for this attack is still fairly murky. Dyn or Dynamic Network Services, Inc is one of many Internet infrastructure components that provide DNS resolution services, on what now appears to be nearly exclusive basis, for access to popular commercial IP addresses. Why Dyn was selected isn’t altogether clear. Neither Dyn nor the sites it provides resolution for appear to be the object of extortion. Which convinced some folks that this wasn’t a real attack but a more of a dress rehearsal to determine what types of defenses might be encountered during a full fledge assault on the core DNS infrastructure that keeps the Internet up and running. Per the WSJ the NSA and the DHS can’t confirm that any state actors were behind this attack that led some security types to suggest that it might have been a group of merry pranksters that launched it. Turns out there is a history of similar attacks in the Gamer community. Gamers are very familiar with DNS/CDN behavior and are not above trying to tweak it if it might mean some kind of advantage. DNS’s handle inbound or ingress conversations. CDN’s augment outbound or egress fulfillment. Gamers are familiar with and rely on both. Both are subject to DDoS attacks. So there is some speculation that this was some kind of Gamer’s rogue tweak that somehow ran amuck but given the level of sophistication that’s probably unlikely.

To Whom am I speaking?

The attack employed is well understood but the execution was cleverly nuanced. Long ago, the Internet Society recognized the need for ingress filtering to guard against DDoS attacks and has used the Request for Comments (RFC’s) protocol to address these concerns. RFC’s go all the way back to ARPANET. And there are several RFC’s that directly address denial of service attacks and how they can be mitigated through various forms of network interrogation most notably RFC2827 concerning network ingress filtering.

Basically, someone who wants to go to a web site submits a request to their local ISP/DNS which in this instance was Dyn. The service inspects a bunch of headings that includes the source IP of the request originator and then hangs up or puts them on hold. Using the purported source address of the requesting party the service then calls back and, assuming the address wasn’t spoofed and they pick-up, begins asking some questions.

Are you a fax machine? A toaster? Have you ever been hijacked by open sourced malware? Are you now or have you ever been a Hungarian hacker that goes by the name of Carlos? How many times do you use TOR during any given week? (see The Apple of Sauron’s Eye – May 2012) You know, the kind of stuff you would normally ask a CCTV camera. If you don’t like the conversation, you hang up, cache the spoofed address and deny all further calls from that party.

There are any number of other techniques that can also be employed to mitigate such attacks. Service providers who pride themselves on being cloud-based entities should employ as many DNS providers as possible to provide alternative access to their sites. IoT device manufactures should insist that the default device passwords should be changed before the device is placed in service. DNS and ISP providers can insist on some form of ACL before honoring a request. Mundane stuff but it works. Private enterprises have been wrestling with these issues for years and making progress using various forms of multi-factor authentication. But private enterprises have the benefit of knowing who they are dealing with and using appropriate authentication protocols to permit ingress and ,increasingly, egress when it comes to data loss prevention. However, many internet-based businesses crave the engagement of anonymous, mobile users and consider authentication needlessly cumbersome and potentially annoying.

Rut row

Current precautions notwithstanding, the implications of this attack are ominous. Forbes reported that hackers are now selling hacker-controlled bot IoT devices like they used to sell stolen credit card numbers. At this point there is likely a race to identify and botinize as many devices as possible in order to make them part of a commercial hacker’s inventory along with a library of credentials for access and control. Throw in a free-range, open sourced exploit like Mirai and you’ve got yourself a recipe for a World War Z scenario.

Gartner estimates that by end of 2016 there will be over 6 billion IoT devices deployed and in use, over 20 billion by 2020, the majority deployed by less than meticulous, security minded consumers. Experts looking at the Dyn’s incident estimate that far fewer devices were involved, probably on the order of several thousand. So these attacks could scale exponentially and still not consume the number of potentially targetable botinized devices. Given current circumstances, it’s not difficult to imagine some sorcerer’s apprentice, half a world away, dropping code and waking up several million, if not billion, inanimate appliances that instantly attack the infrastructure that fronts the access to AWS, Azure, Google, and Oracle, the same infrastructure that supports the on-line presence of services like Twitter, Reddit, Spotify, and Github, along with a number of other entities that rely on these providers to conduct business on a daily basis. This would also be true for all the CDN’s that support the distribution of content. Probably something that didn’t come up before you committed to go all-in on public cloud service infrastructure. (see Forecast, Partly Cloudy – July 2010)

Don’t sweat the small stuff

Lots of experts have opined that the only way out of this mess is additional government regulation. Only question is whose government and what regulations? Local regulation of a global communications infrastructure isn’t a practical solution. An easier approach might be the adoption of industry standards enforced through firmware for any IP based device that would govern its access and authentication and that could be rendered void by a central authenticating authority. Any appliance that didn’t conform could be whitelisted into oblivion. Microsoft has already started to move in this direction.

What could possibly go wrong with that? Other than maybe somebody cracks that central authority’s credentials and hijacks all such devices under the largest ransomware scheme ever imagined.

What would you pay to get back your washing machine? Let’s see, average remaining useful life, total cost of ownership for replacement, blood pressure meds to deal with all this nonsense. Yep, $300 ought to cover it. Do the same calculation for every appliance you own.

Now multiply that by billions and there’s your business plan. Take that to Sand Hill Road and see what happens.

Happy Halloween! Don’t let this keep you up all night.


Graphic courtesy of SuZQ Art and Images

One Comment to "Revenge of the Thingies…"

  1. Irish says:

    This is actually helpful, thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Insights on Technology and Strategy