Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

Massive DDoS Attack Blocks Access to U.S. Web Sites

If you had any problems reaching Web sites on 21 October 2016, it likely wasn’t the fault of your Internet service provider, router, or computer. In the United States, it was the Internet itself that was partially broken.

The reason requires a bit of explanation. Mainstream news outlets reported that sites like Netflix and CNN were down (and I wonder how CNN reporters felt about posting a story on a Web site that couldn’t be reached), but that wasn’t quite true. The sites themselves were fine, it was that your computer didn’t know where to find them. If you picture these major sites as stores on a highway, the stores were still open, but the signs giving you directions to find them had been taken down.

In the Internet’s case, those signs are the Domain Name System, or DNS, which assigns memorable names to the numeric addresses that actually identify Internet locations. Go to http://www.cnn.com, and you’re relying on DNS to tell your browser that it’s actually 151.101.20.73; www.cnn.com by itself is meaningless to your browser and the Internet in general until the numeric IP address is retrieved.

DNS is extremely fast — a lookup that takes a tenth of a second is considered slow — and widely distributed. When you visit a domain, your Mac or iPhone first asks itself, “Do I already know where that domain is?” (That is, has your device visited it recently?) If not, the device queries the DNS servers that are entered in the network settings of your System Preferences or iOS Settings. Those servers do much the same thing, asking other DNS servers as needed — all of which results in your Mac or iPhone finding out where any domain is almost instantly, when everything is working properly.

Note that functional DNS servers are the second thing you need for this to work. The first is enough Internet bandwidth to reach those DNS servers in the first place.

Picture what happens if a major DNS server goes down. Millions of computers turn to DNS for more information every second. They’re relying on it either to have that domain memorized from a recent visit or to pass along the DNS request. If a DNS server can’t be reached within a reasonable amount of time, the request “times out” and your computer tries again with the next DNS server in its list; your Internet settings probably include two or more different servers to check. But if none of these DNS servers can come up with the information, you’re stuck.

If all of your DNS servers are at the same ISP, a network attack could take them all down, preventing you from loading any Web sites you hadn’t visited recently. Plus, if the DNS servers of a major Web site were attacked, that site would be unreachable unless you knew its numeric IP address.

As Americans famously learned from one of their senators, the Internet isn’t a truck, it’s a series of tubes. Many laughs were had about that analogy, but it wasn’t entirely wrong: the ephemeral-seeming Internet is based on the physical network of wires, wireless, and fiber connections that connect everything to everything else. Each of these connections can handle only so much traffic.

If bad guys wanted to attack you electronically, they could try attacking your home routers or computers, looking for a vulnerability that would let them in. But it’s much easier to attack your bandwidth: by sending more traffic to your connection than it can handle, your router becomes overwhelmed. Legitimate requests get swamped in all of the junk traffic — none of your requests get out, and no genuine traffic can get in. This is called a “denial of service” (DoS) attack — the attack traffic isn’t trying to do anything, it’s causing damage just by existing. It’s like being hit with a firehose — water is not normally harmful, but it is when it’s being sprayed at you at high speed.

A DoS attack from a single computer is easy to detect and block. But when the attack comes from thousands or millions of computers simultaneously, it’s a major problem. This is called a “distributed denial of service”, or DDoS. That’s what happened Friday to Dyn, a company that provides managed DNS service for major Web sites. As of Friday evening, three waves of DDoS attacks had been launched against Dyn.

Where do you find thousands or millions of computers to coordinate a DDoS? For that, you use a “botnet,” which is a network of compromised computers (sometimes called “zombies”) that have been taken over by malware, sometimes invisibly, so that they continue to work but also respond to requests for attacks from the people running the botnet. Historically, these computers have been desktop computers running old, insecure operating systems. Then mobile phones were added to the mix. Today, it’s also the Internet of Things, those network-connected devices that do stuff for you while not being full computers. The teddy bear webcam that watches your infant could be contributing to a botnet, if its security features were easily circumvented. Bad guys can build their own botnets or rent them by the hour to save themselves a lot of work. This rental market provides another incentive for botnet purveyors to increase the size of their botnets.

These botnets can unleash huge DDoS attacks. Internet connections are measured in bits per second; according to Akamai’s State of the Internet report, an average U.S. home connection ranges between 10.2 and 24.3 million bits per second. Meanwhile, the DDoS attack on security journalist Brian Krebs’s Web site was measured at 620 billion bits per second, while a subsequent attack on a French provider was over 1 trillion. Those kinds of numbers can bring down entire networks.

There’s not much that can be done about DDoS attacks. If you’re targeted by one personally, you have to rely on your ISP to help you fix it. If you run a business that might be targeted repeatedly (for purposes of extortion, for example), there are companies that sell attack protection products, including DDoS mitigation. You’re most likely to be affected the way you were last Friday: some major company crucial to the Internet’s functioning gets attacked, and associated sites become unreachable. But it’s a serious problem for any organization that’s targeted directly.

Looking forward, I believe we need two major attitudinal changes in government and business policy. The first is that we are still far too complacent with major companies shipping computers and Internet of Things devices that are overly vulnerable to being compromised and added to a botnet. Microsoft took significant heat from its corporate and government customers around the turn of the century, and now the company has one of the strongest security programs in the industry (see “Apple’s Security Past Defines Its Future,” 27 January 2011).

All operating system providers should be openly criticized for security holes that they allow to reach the public. Even more attention should be focused on Internet of Things device manufacturers, using public shaming if that’s enough to turn the tide, and with legislation if that’s what’s necessary to build a more secure Internet. We can’t expect the average consumer to determine whether a particular manufacturer makes secure devices; that should be the job of industry groups and regulators.

The second is something I’ve been thinking about since this year’s political hacks (see “On Hacking During the U.S. Presidential Campaign,” 6 September 2016). The United States is widely believed to have the most powerful cybersecurity attack and defense capabilities in the world. Why then is the general public usually left on its own? Numerous U.S. agencies are dedicated to providing security aid to technical experts, but they do little to help individuals learn about these problems and protect themselves. Are you absolutely sure that you’ll never click a link in a phishing email? I’m not.

Attacks such as the one on Dyn demonstrate that we have both collective and individual problems with cybersecurity. It’s entirely possible that these cybersecurity issues could lead to national security concerns. In my opinion, we should ask ourselves why we have the political will to build military cyberweapons and defenses, but still leave most individual Americans to fend for themselves.

 

READERS LIKE YOU! Support TidBITS by becoming a member today!
Check out the perks at <http://tidbits.com/member_benefits.html>
Special thanks to Walter M, William Porter, Keith Kaiser, and
Ferdinand Fuchs for their generous support!
 

Comments about Massive DDoS Attack Blocks Access to U.S. Web Sites
(Comments are closed.)

as.thompson  2016-10-24 21:20
OK. SO we know "what."
But "why" was it done? What resulted that was beneficial to the attackers?
Jeff Porten  An apple icon for a Friend of TidBITS 2016-10-24 23:22
I don't think we know that yet; I haven't seen any public speculation. There's Schneier's link at the end of the article, speculating that some actors are stress-testing the Internet at large. Krebs believes that the attacks on his site and OVF were inspired by the fact that both were doing research on malware authors and botnets.
Josh Centers  An apple icon for a TidBITS Staffer 2016-10-25 12:16
No one knows for sure, because we don't even know who perpetrated it. I've read some speculation that it was a test for some sort of election day shenanigans, presumably by the Russians, but that's purely speculation with no factual basis. Frankly, I don't see how a DDoS would affect an election much.
Jeff Porten  An apple icon for a Friend of TidBITS 2016-10-25 12:42
If they can bring down email and chat networks, or slow access to GPS and distributed databases, that could affect GOTV efforts. See my link in the Hack article about the problems Romney's campaign had.
Dennis B. Swaney  2016-10-24 22:35
Too bad it won't stop the IoT craze. It was millions of IoT units like baby monitors, thermostats (like Nest), etc. that were used for the attacks.
Are you suppose to be able to just enter the IP address in the web browser URL and it will work? Because I tried plugging in the CNN IP address and it didn't work...would be nice to have a back up plan for browsing if there was a massive DNS attack. Thanks!
Jeff Porten  An apple icon for a Friend of TidBITS 2016-10-24 23:26
It *might* work—you'll make a connection to the computer at that IP address. But some web servers only respond to specific URLs, so it's not guaranteed. And since most major websites make subsequent connections to dozens of other sites to build their pages, those will all fail if there's no DNS.
Edward Wood  2016-10-25 12:25
this attack is,in part, an indictment of those suppliers of components of 'the internet of things"who are way more interested in profits than security. A recent story of tests run on remote controlled door locks where 11 out of 12 locks were easily hacked demonstrate the point. When advised of the problem, the majority of the suppliers were aware of the problem but had no plans to fix it.

How long will iy take the powers that be to get off there butts and demand security in all products reachable via the internet.

Gary Schroeder  2016-10-25 19:16
I read over the weekend (don't remember where) that someone at a previously unheard of hacking group said that they perpetrated the attack as a test to see if it would work in preparation for a much larger attack on the Russian government in retaliation for their hacks of the Democratic National Committee and Clinton's campaign manager. If true (not likely but possible) things could get very interesting.