The Dyn Attack - How IoT Can Take Down the "Global Information Grid" Back Bone (Part I)

Oct 25, 2016 | by Peter Tran

digital-global-red-800x388

By Nick Murray and Peter Tran

Imagine that you are driving through downtown New York City (NYC) and only relying on your GPS for directions. All of a sudden, the GPS stops working and you are stuck in mid-town Manhattan traffic during rush hour. If you have ever tried to drive in NYC, you know it's easier to navigate a corn maze blindfolded than to attempt to navigate the complicated NYC streets.

A Domain Name System (DNS) is much like a GPS, in that DNS gets you from point A to point B online. While a GPS allows you to look up any destination in the world and find a path to that destination, DNS is your map, navigator, and transportation all rolled up in one, specifically for the internet. Behind every domain name is an intimidating looking series of numbers called an internet protocol (IP) address (Example: 172.217.0.XX) and it gets much worse with next generation addresses which may look something like (2606:2800:220:6d:26bf:1447:1097:XXX). The bottom line is it's much easier to remember a name (i.e. - Google dot com) rather than commit to memory a series of random numbers for every destination on the internet. DNS is the foundation that translates the domain name you type into your browser to the correct IP address and routes your request to the right place in real time. It just works, but when it doesn't, it becomes one of the most disruptive roadblocks for the web.

On October 21st, 2016, various media outlets reported multiple waves of Distributed Denial of Service (DDoS) attacks that targeted New Hampshire based-DNS provider Dyn, which led to the disruption of the company's ability to provide its subscribers with DNS services - resulting in massive issues for 17 of the top 100 most visited sites such as Twitter, Github, Reddit, AirBnB, Spotify, Soundcloud, Netflix and PayPal.

Reports by Dyn stated the first attack started at approximately 7 a.m. EDT and lasted approximately 2 hours, affecting primarily East Coast customers. Round two of the attacks started around 12 p.m. EDT and lasted about 1 hour, causing continued disruption issues. The third attack occurred between the hours of 3-4 p.m. EDT - and this attack was successfully mitigated by Dyn. The exact source of the attacks have not been confirmed yet, but Dyn has shared that one possible source of the attacks appears to be from "connected devices," infected by the Mirai malware botnet which sent millions of simultaneous internet requests to Dyn during each attack wave, thereby overwhelming their ability to route internet requests successfully.

What does this all mean? This attack underscores the seriousness and critical challenges facing IoT security, as the new attack surface for nation state hackers and cyber criminals leveraging the vulnerable nature of connected devices as weaponized attack force multipliers. By 2020, the number of IoT devices ranging from baby monitors to home DVR set top boxes is expected to grow to over 50 billion. This will add multiple layers of security complexity, not only for intrusive attack vectors on global internet dependent systems, but also paving the way for more disruptive and destructive attacks to take place. The Dyn attack may have been a precursor to larger, more sophisticated blind spot of targeting internet-dependent critical infrastructure systems such as banking, transportation, healthcare, logistics, retail, and the like. This event triggered such widespread concerns such that the U.S. Department of Homeland Security (DHS) convened an immediate coordination meeting of 18 of the top communications providers and in a special statement, plans to release its IoT security strategic plan in the coming weeks. If this attack was executed at scale on larger DNS providers, or with multiple DNS providers, then the results could be catastrophic. To put this into some perspective, if Google web services is disrupted for 5 minutes, approximately 40% of the global internet would be affected. There are more than one hundred DNS providers globally, with top providers such as Route 53, CloudFlare DNS, DYN DNS, Akamai DNS, and UltraDNS, providing backbone DNS to nearly 50 percent of the most globally visited sites on the web.

In the second part of this blog, we will dive deeper into the Dyn attack anatomy analysis, and will deconstruct how the IoT was weaponized leveraging the Mirai malware. Additionally, we will discuss IoT security strategies such as security and behavioral analytics "zoning" and "enclaves," and explain how connected devices are categorized, tested, grouped and compartmentalized into appropriate monitoring and detection zones aligned by function, backbone provider, and business applications. Stay tuned for more details!

Tags: Peter Tran, Research and Innovation, Advanced Cyber Defense, Cybersecurity, Internet of Things, IoT