This article originally appeared in TidBITS on 2016-10-24 at 2:03 p.m.
The permanent URL for this article is: http://tidbits.com/article/16854
Include images: Off

Massive DDoS Attack Blocks Access to U.S. Web Sites

by Jeff Porten

If you had any problems reaching Web sites on 21 October 2016, it likely wasn’t the fault of your Internet service provider, router, or computer. In the United States, it was the Internet itself that was partially broken [1].

The reason requires a bit of explanation. Mainstream news outlets reported that sites like Netflix and CNN were down (and I wonder how CNN reporters felt about posting a story on a Web site that couldn’t be reached), but that wasn’t quite true. The sites themselves were fine, it was that your computer didn’t know where to find them. If you picture these major sites as stores on a highway, the stores were still open, but the signs giving you directions to find them had been taken down.

In the Internet’s case, those signs are the Domain Name System, or DNS, which assigns memorable names to the numeric addresses that actually identify Internet locations. Go to http://www.cnn.com [2], and you’re relying on DNS to tell your browser that it’s actually 151.101.20.73; www.cnn.com by itself is meaningless to your browser and the Internet in general until the numeric IP address is retrieved.

DNS is extremely fast — a lookup that takes a tenth of a second is considered slow — and widely distributed. When you visit a domain, your Mac or iPhone first asks itself, “Do I already know where that domain is?” (That is, has your device visited it recently?) If not, the device queries the DNS servers that are entered in the network settings of your System Preferences or iOS Settings. Those servers do much the same thing, asking other DNS servers as needed — all of which results in your Mac or iPhone finding out where any domain is almost instantly, when everything is working properly.

Note that functional DNS servers are the second thing you need for this to work. The first is enough Internet bandwidth to reach those DNS servers in the first place.

Picture what happens if a major DNS server goes down. Millions of computers turn to DNS for more information every second. They’re relying on it either to have that domain memorized from a recent visit or to pass along the DNS request. If a DNS server can’t be reached within a reasonable amount of time, the request “times out” and your computer tries again with the next DNS server in its list; your Internet settings probably include two or more different servers to check. But if none of these DNS servers can come up with the information, you’re stuck.

If all of your DNS servers are at the same ISP, a network attack could take them all down, preventing you from loading any Web sites you hadn’t visited recently. Plus, if the DNS servers of a major Web site were attacked, that site would be unreachable unless you knew its numeric IP address.

As Americans famously learned from one of their senators, the Internet isn’t a truck, it’s a series of tubes [3]. Many laughs were had about that analogy, but it wasn’t entirely wrong: the ephemeral-seeming Internet is based on the physical network of wires, wireless, and fiber connections that connect everything to everything else. Each of these connections can handle only so much traffic.

If bad guys wanted to attack you electronically, they could try attacking your home routers or computers, looking for a vulnerability that would let them in. But it’s much easier to attack your bandwidth: by sending more traffic to your connection than it can handle, your router becomes overwhelmed. Legitimate requests get swamped in all of the junk traffic — none of your requests get out, and no genuine traffic can get in. This is called a “denial of service” (DoS) attack — the attack traffic isn’t trying to do anything, it’s causing damage just by existing. It’s like being hit with a firehose — water is not normally harmful, but it is when it’s being sprayed at you at high speed.

A DoS attack from a single computer is easy to detect and block. But when the attack comes from thousands or millions of computers simultaneously, it’s a major problem. This is called a “distributed denial of service”, or DDoS. That’s what happened Friday [4] to Dyn, a company that provides managed DNS service for major Web sites. As of Friday evening, three waves of DDoS attacks had been launched against Dyn [5].

Where do you find thousands or millions of computers to coordinate a DDoS? For that, you use a “botnet,” which is a network of compromised computers (sometimes called “zombies”) that have been taken over by malware, sometimes invisibly, so that they continue to work but also respond to requests for attacks from the people running the botnet. Historically, these computers have been desktop computers running old, insecure operating systems. Then mobile phones were added to the mix. Today, it’s also the Internet of Things, those network-connected devices that do stuff for you [6] while not being full computers. The teddy bear webcam that watches your infant could be contributing to a botnet, if its security features were easily circumvented. Bad guys can build their own botnets or rent them by the hour [7] to save themselves a lot of work. This rental market provides another incentive for botnet purveyors to increase the size of their botnets.

These botnets can unleash huge DDoS attacks. Internet connections are measured in bits per second; according to Akamai’s State of the Internet report [8], an average U.S. home connection ranges between 10.2 and 24.3 million bits per second. Meanwhile, the DDoS attack on security journalist Brian Krebs’s Web site was measured at 620 billion bits per second, while a subsequent attack on a French provider was over 1 trillion. Those kinds of numbers can bring down entire networks.

There’s not much that can be done about DDoS attacks. If you’re targeted by one personally, you have to rely on your ISP to help you fix it. If you run a business that might be targeted repeatedly (for purposes of extortion, for example), there are companies that sell attack protection products, including DDoS mitigation. You’re most likely to be affected the way you were last Friday: some major company crucial to the Internet’s functioning gets attacked, and associated sites become unreachable. But it’s a serious problem for any organization that’s targeted directly.

Looking forward, I believe we need two major attitudinal changes in government and business policy. The first is that we are still far too complacent with major companies shipping computers and Internet of Things devices that are overly vulnerable to being compromised and added to a botnet. Microsoft took significant heat from its corporate and government customers around the turn of the century, and now the company has one of the strongest security programs in the industry (see “Apple’s Security Past Defines Its Future [9],” 27 January 2011).

All operating system providers should be openly criticized for security holes that they allow to reach the public. Even more attention should be focused on Internet of Things device manufacturers, using public shaming if that’s enough to turn the tide, and with legislation if that’s what’s necessary to build a more secure Internet. We can’t expect the average consumer to determine whether a particular manufacturer makes secure devices; that should be the job of industry groups and regulators.

The second is something I’ve been thinking about since this year’s political hacks (see “On Hacking During the U.S. Presidential Campaign [10],” 6 September 2016). The United States is widely believed to have the most powerful cybersecurity attack and defense capabilities in the world. Why then is the general public usually left on its own? Numerous U.S. agencies [11] are dedicated to providing security aid to technical experts, but they do little to help individuals learn about these problems and protect themselves. Are you absolutely sure that you’ll never click a link in a phishing email? I’m not.

Attacks such as the one on Dyn demonstrate that we have both collective and individual problems with cybersecurity. It’s entirely possible that these cybersecurity issues could lead to national security concerns [12]. In my opinion, we should ask ourselves why we have the political will to build military cyberweapons and defenses, but still leave most individual Americans to fend for themselves.

[1]: http://www.usatoday.com/story/tech/2016/10/21/cyber-attack-takes-down-east-coast-netflix-spotify-twitter/92507806/
[2]: http://www.cnn.com/
[3]: https://en.wikipedia.org/wiki/Series_of_tubes
[4]: https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/
[5]: http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
[6]: https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
[7]: https://www.incapsula.com/blog/unmasking-ddos-for-hire-fiverr.html
[8]: https://www.akamai.com/us/en/our-thinking/state-of-the-internet-report/
[9]: http://tidbits.com/article/11922
[10]: http://tidbits.com/article/16733
[11]: https://www.us-cert.gov/
[12]: https://www.schneier.com/blog/archives/2016/09/someone_is_lear.html