The good (and bad) news behind the Dyn DNS DDoS attacks

Cybersecurity malware cryptolocker

After a massive distributed denial-of-service attack targeted at Dyn DNS, companies are starting to respond and more details are being made public.

As I covered in The Dyn DNS attacks: What we know now, the massive attack knocked offline big-name websites, including Amazon services, Tumblr, Twitter, Reddit, Spotify, Netflix, among others. For those not familiar, Dyn DNS provides Doman Name Services, a sort of directory services for the Internet. When Dyn’s systems were hit with waves of bogus traffic, users couldn’t have their access requests for those sites resolved properly.

According to the analysis completed to date, much of the traffic generated in the DDoS (Distributed Denial-of-Service) attack was created using comprised IoT devices, including Webcams and digital recording devices.

The Chinese firm Hangzhou Xiongmai Technology, one of the firms whose IoT devices were part of the attack, told Reuters that the company will recall the devices, including some surveillance cameras sold in the United States. “Liu Yuexin, Xiongmai’s marketing director, estimated the number of vulnerable devices at fewer than 10,000 to be recalled. He said the company would recall the first few batches of surveillance cameras made in 2014 that monitor rooms or shops for personal, rather than industrial, use,” according to the article.

Another firm, Dahua Technology, announced firmware patches and incentives for customers to trade in devices as part of their response. In a statement, Dahua Technology said:

As always, we have firmware updates available on the Dahua Wiki, and a dedicated channel for customers to ask questions about cybersecurity or report suspected vulnerabilities (cybersecurity@global.dahuatech.com).

Specific to this issue, we are offering replacement discounts as a gesture of goodwill to customers who wish to replace pre-January 2015 models. Dealers can bring such products to an authorized Dahua dealer, where a technical evaluation will be performed to determine eligibility.

In an analysis published Tuesday, security firm Flashpoint concluded that while the Mirai botnet malware was used in the DDoS attack, the botnet was managed separately from the command and control system used to attack Krebsonsecurity.com at an earlier date.

Flashpoint also believes that the attack was not the work of nation-state or organized crime but carried out by amateurs. And Dyn wasn’t even the target; a gaming network was.

“In its investigation of Dyn DDoS attacks, Flashpoint discovered that the infrastructure used in the attack also targeted a well-known video game company. While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums,” the authors Allison Nixon , John Costello , Zach Wikholm concluded.

So what is the good news and bad news?

The bad news first: A massive attack that crippled access to numerous big-name websites appears, so far, to have been conducted by amateurs – who may have misfired. The attack also appears relatively simple to pull off.

The good news, potentially, is that those who have the power to fix the situation going forward are taking notice. Physical recalls for manufacturers are expensive, and IoT device makers very likely want to avoid that financial pain. They would be wise to avoid designing and shipping products that can be easily hijacked in the future.

RELATED LINKS

The Dyn DNS attacks: What we know now

As IoT risks rise, security vendors won’t meet challenge, says Gartner

Security lags as IoT moves from prototype to deployment

Comments

  1. Tim Coote says:

    You mean that there are some manufacturers of ‘IoT devices’ that either cannot be patched at all, or require informed user intervention to patch them?

    Believing that such devices are sell and forget is an interesting business model, and highlights the tension between Thing makers (who flog boxes) and Internet of Things service owners, who care about the cost of service/support, including the cost to end consumers.

    For the most part, the security economics seem to me to work best if the Things are as dumb as possible (smallest attack surface), and managed by the platform provided to the IoT service owners (better understanding of distributed systems’ security.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: