Explaining the DDoS Problem & its Origins, As Simply As I Can
You may have noticed the Internet is kind of broken today. I think this event will become a Big Deal, potentially remembered as the denial of service attack which led to regulation and more.
Discussing it via iMessage, a friend who doesn’t follow Internet security (like, you know, normal people) asked me to explain the above in English. I don’t have time to polish it, but I could see this being helpful to others. So here’s roughly what I write:
The iPhone launched, Android followed and smartphones became the business. In under 10 years, roughly 30% of the world now has a smartphone. The amount of money being generated to make little devices with cameras, CPUs, WiFi, gyroscopes, touchscreens, batteries, and more boggles the mind.
The demand for smartphones drove the costs of their components wayyy down. There are massive buildings in China filled with bins of components, which designers can pick up on the cheap and design a new toy. This is why almost all new device categories are basically reassembled smartphone guts with a twist: action cameras, fitness trackers, drones, hover boards, webcams, and more. They’re all plentiful and affordable because smartphones are paying for their parts en masse.
Now there are hundreds of millions of these cheap devices all over the world which are comically undersecured and connected to the Internet. And none of the companies which shipped than want to (or can) fix them. (For many of them, the insecurities are baked into the firmware.)
Botnet makers have not missed the opportunity. They’ve developed simple hacks to remotely control millions of devices–especially webcams and routers. These devices are the perfect for botnets because they’re online all the time and widely adopted.
Recently, the attacks from these botnets have started to reach critical limits, producing distributed denial of service attacks (wherein tons of devices all hit the same website or service as fast as they can, overwhelming it) that are factors larger than attacks they’ve seen in the past.
This leap in strength has disrupted the tit-for-tat exchange between attackers and security firms. Security god Bruce Schneier (who I’ve been cribbing from for these last few bullets. Read him!) writes, “Basically, it’s a size vs. size game. If the attackers can cobble together a fire hose of data bigger than the defender’s capability to cope with, they win. If the defenders can increase their capability in the face of attack, they win.” The massive output of the factories, subsidized by smartphone parts, connected to a global marketplace of unaware buyers has disrupted this balance in favor of the attackers.
And it’s already creating problems as a tool against less than desirable media. Security journalist Brian Krebs’ site was hit with an attack so large Akamai (one of the cloud hosting providers) kicked him off their servers. Krebs was saved by Google, who stepped in to protect Krebs free of charge. (Worryingly, Krebs’ site is completely down at the moment, likely connected to the current attack.)
These weapons aren’t just disruptingly powerful, they’re relatively easily available. It’s distressing to consider the scale that could be produced by state-sponsored groups. Imagine that this Internet outage hit more than the East Coast. Imagine this outage hit on Election Day. (If there is a bright side to this attack it is that it establishes some public awareness of the issue prior to it being something which could be politically construed.)
This attack is significant enough and targets the right people (the media in NYC and politicians in DC) to garner attention from government. Because, sadly, it appears significant regulation–both requiring basic security features for devices and granting ISPs blacklisting power–is the only way to solve this challenge. Regulating who and what can connect to the Internet appears to be necessary but sets a worrying prescident.
In short: access to the Internet and the availability of specific sites is super vulnerable, there’s no easy fix, and the solution is bad.
There is a certain irony in Twitter being taken down by webcams, though.
(There are plenty of things I’d like to link to above but cannot now, due to the outage. Apologies)
Update:it really looks like this is a vendetta attack against Krebs and a researcher at Dyn, the company which is the main target of the attack. The attack kicked off hours after the two of them delivered a presentation highlighting one party’s bad practices.
Update, November 8th, 2016: It appears we’ve been saved in an unexpected– yet totally fitting–way. The week of the US elections, hackers pointed the traffic cannon at the websites of both Hillary Clinton and Donald Trump, but failed to take out either. Why? Well, it turns out this particular botnet is too easy to access. Following the October 21st attack, many parties signed up the same insecure devices to do their bidding. Specifically, they wanted the botnet to attack various game hosting servers. With tons of users directing the same traffic cannon at their own pet targets, the effect of the weapon became severely dilluted.
In a nutshell: the Internet lives another day because too many people wanted to grief Counter-Strike and Minecraft servers. You couldn’t script a more appropriate twist.