Jay Kesan | Publications

What do a security camera, a router, and a DVR have in common?  No, it is not that you need all three to re-watch Game 7 of the World Series. These are three types of Internet-connected devices that are blamed for a cyberattack that temporarily cut off millions of people from the Internet.                                                                            

On October 21st, a Friday morning like any other, Internet users across the country could not partake in their morning routines on popular websites like Twitter and Reddit. Users of Spotify and Netflix found their services interrupted. The problem was eventually resolved, but it left behind a lot of confused Internet users.

To understand what happened, you need to know a little about how the Internet works. The Domain Name System (DNS) is a core technology of the Internet.  It is like a phone book. When you type “google.com” into your web browser, your Internet Service Provider opens this metaphorical phone book and searches for google.com to find the website’s IP address. The IP address, and not the name, is what allows you to connect to a website.  If a website’s IP address cannot be resolved, you will get an error and will not be able to visit that site. But what if the website is online and its IP address is totally fine, but the phone book is missing?

That is basically what happened on October 21st. Specifically, attackers directed a distributed denial of service attack – a DDoS attack — at servers belonging to Dyn, one of the major providers of the domain name system infrastructure. When targeting a DDoS attack at a single website, the attacker typically has a network of computers under their command and control – called a botnet — that have been compromised by a computer virus. They then use the botnet to flood the target website with meaningless data until the servers are overwhelmed and knocked off-line.  It is, at its core, a fairly basic and unsophisticated attack.  That morning, the attack focused on Dyn’s DNS infrastructure, knocking their servers offline,thus severing the connection between millions of consumers and the websites that were listed in Dyn’s metaphorical “phone book.”

The human culprit of this attack is unknown and alleged to be Russian.  The technological culprit is the Mirai botnet, but rushing to update your antivirus software probably won’t help you right now.  Mirai works mainly through Internet of Things – IoT – devices, not ordinary personal computers. Manufacturers of IoT devices, from thermostats to fitness trackers to pacemakers, rarely spend much time enhancing the security of their products. Someone identified a vulnerability that made a lot of these devices susceptible to being taken over and used in DDoS attacks, and then wrote the code to exploit that vulnerability.

So what can be done?  Cool as it is to live in the future, where we can use smart phones to turn up the heat, switch on the lights, and even unlock our front doors, we need to consider what these devices are doing, and demand more security from manufacturers. One approach is for the government to impose security mandateson manufacturers of Internet-connected devices. Specific mandates may not be feasible because of the speed at which technology changes, but the National Institute for Standards and Technology – NIST – recently established a voluntary Cybersecurity Framework that can provide some guidance.Law enforcement and the technology sector will continue to work together to break up botnets.  But it remains difficult to identify and prosecute foreign cyber criminals, so the next best solution is to focus on lowering an attacker’s success rate.  This is an area where the government and private sector should work together to share vulnerability information with each other to identify cyber threats andbenefit our economy as a whole.

Author – Jay Kesan

Tagged on: