When IoT Attacks

On Friday morning I was awakened by my phone’s text alert.  It was the uptime monitoring system for Bob’s.  It’s not uncommon for less important devices, like the greenhouse webcam, to restart and show up as offline for a few minutes each week.  However, this alert was for our website.  It never goes offline!  We host our site on Squarespace, and their infrastructure is pretty bulletproof.  It turns out that there wasn’t anything wrong with their system either.  Instead, bobsmarket.com had been caught up in the largest DDoS attack to date.  We were under attack!!! … kinda.

Dyn, the biggest DNS providers in the US, was under attack thereby making websites that use their services inaccessible.  At Bob’s Market, we use Dyn as our domain name service provider, hence our downtime.  Not to get too technical, but you can think of DNS (Domain Name System) as the internet’s phone book.  DNS servers translate addresses like “bobsmarket.com” into the IP address where that site’s servers are located like “198.49.23.145”.  The Domain Name System for the entire internet is a hierarchical structure like a tree.  This attack made a very big branch and all of the smaller branches attached to it inaccessible.

The attack itself was a DDoS (Distributed Denial of Service) attack.  Unlike hacking (gaining unauthorized access to server), a DDoS attack simply floods target servers with bogus traffic to overwhelm them with requests.  Attackers use massive botnets of slave computers that have been taken over by malware to flood their target servers with billions of requests … per second!  It then comes down to a battle of sheer computing power and bandwidth.  For example, a lone server on a slow connection would be easy to DDoS, but a huge company like Dyn has the capacity to take on massive floods of traffic.  They handle companies like Netflix after all!  So how was this botnet powerful enough to take out Dyn?

This was a botnet on steroids!  Everything today connects to the internet.  Thermostats, security cameras, TVs, refrigerators, even light bulbs, and many other devices have little computers in them that are connected to the internet.  We call it the Internet of Things (IoT), and it has become big business over the last few years.  The problem with these devices is that many are installed, often with default passwords, and then never updated, often for years.  This made them an easy target for malware.

This attack was, in part, powered by a botnet of hacked DVRs and webcams called Mirai.  This marks a new era in DDoS attacks as more and more big name website are being forced to seek shelter behind the walls of a shrinking number of powerful DDoS protection companies.  As botnets like Mirai become stronger, larger sections of the internet could be knocked offline during attacks.  It’s a bummer if you can’t tweet, but it’s a bigger bummer if you can’t do business.

In closing, this is a frightening prospect for smaller businesses, journalists, and individuals.  Smaller organizations simply don’t have pockets deep enough to protect against attacks of this nature.  This also makes DDoS attacks a tool of censorship by bad actors or a tool for one business to attack another.  There is evidence showing that the Mirai botnet may in fact be a DDoS botnet for hire.  A safer DDoS business model is the extortion-based attacks that have been on the rise over the last year, in which attackers threaten to DDoS a site unless they receive payment.  Are you ready for this war?