Updated Today a vast army of hijacked internet-connected devices – from security cameras and video recorders to home routers – turned on their owners and broke a big chunk of the web.
Compromised machines, following orders from as-yet unknown masterminds, threw massive amounts of junk traffic at servers operated by US-based Dyn, which provides DNS services for websites large and small.
The result: big names including GitHub, Twitter, Reddit, Netflix, AirBnb and so on, were among hundreds of websites rendered inaccessible to millions of people around the world for several hours today.
We're told about a hundred thousand gadgets using millions of IP addresses were press-ganged into shattering the internet. A lot of these commandeered gizmos were running the Mirai malware, the source code to which is now public so anyone can wield it against targets.
Dyn tells us its services are coming back online after seeing out the storm and putting up new defenses. Here's what we know:
- Starting from 1110 UTC, a distributed denial-of-service attack knocked Dyn's DNS nameservers offline. This continued throughout the day in three independent waves as hackers targeted Dyn's data centers one by one, including its US East Coast facility. By 2037 UTC, the situation is said to be under control after mitigations were put in place to block ongoing attacks.
- Dyn is a crucial component in the internet's infrastructure because when you visit a website that uses Dyn's DNS servers, Dyn is supposed to help your browser or app find the right system to connect to. When Dyn does down, your software can't find the website you want to visit.
- A spokesperson for US Homeland Security said the agency is "investigating all potential causes" of the mega-outage.
- Dyn's chief strategy officer Kyle York told The Register by phone that devices behind tens of millions of IP addresses were attacking his company's data centers.
- A lot of this traffic – but not all – is coming from Internet-of-Things devices compromised by the Mirai botnet malware. This software nasty was used to blast the website of cyber-crime blogger Brian Krebs offline in September, and its source code and blueprints have leaked online. That means anyone can set up their own Mirai botnet and pummel systems with an army of hijacked boxes that flood networks with junk packets, drowning out legit traffic.
- One online tracker of Mirai suggests there at least 1.2m Mirai-infected devices on the internet, with at least 173,000 active in the past 24 hours.
- Mirai spreads across the web, growing its ranks of obeying zombies, by logging into devices using their default, factory-set passwords via Telnet and SSH. Because no one changes their passwords on their gizmos, Mirai can waltz in and take over routers, CCTV cameras, digital video recorders, and so on.
- York said the waves of attacks were separate and distinct – there are multiple bot armies out there now smashing systems offline. "We're expecting more," he added.
- Public DNS providers, such as Google and cable ISPs, that act as a go-between were also unable to reach Dyn's systems and were unable to resolve domain names for netizens. OpenDNS was the hero of the day, thanks to its smart caching of lookups: anyone having connectivity problems as a result of Dyn's outage should switch to using OpenDNS's public resolvers.
- Websites are moving away from Dyn to avoid any further downtime.
- Dyn has released some more details on the assault here.
Infosec biz Flashpoint, which has been investigating the attacks with Dyn staffers, has shed more light on today's crippling assaults:
Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH. Mirai malware targets Internet of Things (IoT) devices like routers, digital video records (DVRs), and webcams/security cameras, enslaving vast numbers of these devices into a botnet, which is then used to conduct DDoS attacks. Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures associated with previous known Mirai botnet attacks.
While Flashpoint has confirmed that Mirai botnets were used in the October 21, 2016 attack against Dyn, they were separate and distinct botnets from those used to execute the DDoS attacks against “Krebs on Security” and OVH. Earlier this month, “Anna_Senpai,” the hacker operating the large Mirai botnet used in the Krebs DDoS, released Mira’s source code online.
Since this release, copycat hackers have used the malware to created botnets of their own in order to launch DDoS attacks.
It is unknown if the attacks against Dyn DNS are linked to the DDoS attacks against Krebs, OVH, or other previous attacks. Given the proliferation of the Mirai malware, the relationship between the ongoing Dyn DDoS attacks, previous attacks, and “Anna_Senpai” is unclear.
As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks. Flashpoint will continue to monitor the situation to ensure that our clients are provided with timely threat intelligence data.
Chris Sullivan, general manager of intelligence at Core Security, also gave us some insight into today's meltdown:
This outage appears to have resulted from a new breed of very high volume DDoS, or denial-of-service attacks, that will be difficult to handle with the defenses that most enterprises have in place today. The really frightening part of this is not that we will be struggling with these new attacks for some time, but that the underlying weakness which makes them successful can and will be used to unleash more serious attacks that steal credit cards and weapons designs, manipulate processes like the SWIFT global funds transfers, and even destroy physical things the 30,000 PCs at Saudi Aramco.
IoT devices are the very cheap computers that we use to control the heat, lights and baby monitor in your home or tell UPS when a truck needs service – some cost less than $1. Unlike your PC or your phone, IoT devices don’t have the memory and processing to be secured properly, so they are easily compromised by adversaries and it’s very difficult to detect when that happens.
This is what’s driving the new ultra-high volume DDoS attacks like we saw today. Ultra-large IoT botnets are instructed to make so many superfluous requests of the target that legitimate requests cannot get through. No real damage is done but service is denied for legitimate users. Maybe you can’t get to twitter for an hour. But these same devices also have access to what we think are highly secured corporate, nations state and defense networks. They can be used to launch attacks on those networks from the inside where all of the net-generation firewalls, intrusion prevention and user based analytics tools won’t even see them.
Companies should move immediately to get control of this situation both to protect themselves and because, in the wake of these new high profile events, it’s likely to be mandated by new law. What is required now is the deployment of systems that don’t try to control the IoT devices but rather watch and learn how they behave so that we can identify malicious activity and isolate them when necessary.
El Reg has been banging about IoT security for ages: Mirai is now targeting cellular gateways. Not enough is being done to patch insecure gadgets. Do gizmos need some sort of security-warning labels? The blame here is not with Dyn. It is not even with the owners of the hijacked devices.
It lies with the botnet operators – and, perhaps more crucially, the dimwit IoT manufacturers who crank out criminally insecure hardware that can be compromised en masse. Particularly China-based XiongMai Technologies, which produces vulnerable software and hardware used in easily hijacked IP cameras, digital video recorders and network-attached video recorders. These crappy devices were at the core of today's attacks, according to Flashpoint.
Until there is a standards crackdown, and vulnerable devices are pulled offline, this will continue on and on until there is no internet left. ®