Why Friday’s Massive DDoS Attack Should Be Terrifying
Friday’s massive DDoS attack made a number of hugely popular websites unavailable for much of the country for large parts of the day. Our service wasn’t directly affected by this incident, but the nature and scope of this attack is tremendously worrisome.
In a Denial of Service (DoS) attack, the perpetrator overwhelms a target company by flooding their service with so much phony traffic that their service is unable to serve authentic requests. Practically speaking, this renders the service unreachable for normal users. This can range from annoying (can’t stream “Game of Thrones”) to dangerous or even life-threatening (can’t see a patient’s drug allergies in the ER).
In a denial of service attack, the bigger pipe wins: if the attacker can generate more traffic than the victim can handle, the victim will be knocked offline. It’s pretty difficult to come up with a single pipe that can generate enough traffic to overwhelm a service like Twitter, so attackers increasingly turn to distributed DoS attacks.
In a distributed DoS (DDoS) attack, the attackers use a large number of computers, generating a larger request volume and making it harder to shut down (picture a game of whack-a-mole with hundreds of thousands of moles). Historically, this meant using sophisticated attacks to infect desktop computers (or a bunch of WordPress installs). Today, there’s no need to invest that much effort when cheap connected devices are ubiquitous. Connected security cameras, DVRs, and the like are often so insecure that even comparatively amateur attacks suffice. Friday’s attacks were perpetrated by thousands of cheap devices.
It’s unlikely that the myriad devices that make up the Internet of Things will get more secure naturally. The damage is already done: most of these devices can’t be easily upgraded by their users. Even if they could be field upgraded, why would the manufacturer invest in a security patch? They already got paid for those devices; investing in them would only further squeeze their minuscule margins. Bruce Schneier convincingly argues that it’s a problem of economics. In summary:
“The owners of those devices don’t care. Their devices were cheap to buy, they still work, and they don’t even know [the victim]. The sellers of those devices don’t care: they’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution because the insecurity is what economists call an externality: it’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.” — Bruce Schneier
This means these devices will continue to be vehicles for this type of attack for years to come.
One Target, Many Victims
Friday’s attack affected Netflix, Twitter, Spotify, AWS, Airbnb, Reddit, GitHub and many more companies at once. Many of these companies have invested in robust security infrastructure and have sophisticated security teams who are capable of responding to DDoS attacks. Compromising all of them simultaneously is remarkable. To attack them all head on would take an even larger army of devices than were used Friday. That’s what makes this attack so clever and scary: none of those companies were attacked directly.
The attacks targeted Dyn, one of the companies that power a critical part of the internet: DNS. This is worrisome because, for many services, DNS resolution represents a single point of failure. In other words, if DNS isn’t working, their service is unusable. DNS is a shared resource that almost all companies outsource, which means someone could cripple internet usage worldwide by targeting a relatively small number of companies. Think of this like the power grid; overloading a few key power stations could cripple an entire region.
An attack that cripples internet infrastructure could be devastating, and there is evidence that someone is learning what would be required to do just that by methodically identifying weaknesses in the backbone of the internet. There is no evidence that Friday’s attacks were carried out by the same group, but it’s worth noting that Friday’s attack was probably powered by Mirai, which is open source and was recently used in a similar attack. There is no secret formula that only a few brilliant hackers know; any motivated group could replicate this attack.
Not Directly Affected
Even if you weren’t directly impacted by Friday’s attack, there’s a good chance you still felt the pain. We had transient problems using important tools (like GitHub, PagerDuty, and Zenefits) that cost us productivity and could have impaired our response to a secondary attack. There are tons of great tools and services that make building and launching a software product easier than ever. With these benefits come risks, since the compromise of one popular product can have cascading or multiplicative effects. If AWS suffered a serious compromise, an entire generation of startups could be crippled, along with any businesses that depend on them.
While this attack did not affect our API’s availability, it is a sober reminder that the services we build and secure do not run in isolation. A system is only as secure as its weakest point. On Friday we saw how a service many take for granted, DNS, represents a single point of failure whose integrity may be outside your team’s control.
If you were unaffected by Friday’s attack, breathe a sigh of relief. But don’t take your security for granted. Do what we’re doing: put a critical eye on every component of your system. Question what you assume to be reliable, identify single points of failure, and develop a plan to protect yourself and your users.
[Editor’s note: this post first appeared on TrueVault’s blog.]