Somebody finally did what internet experts have been
fearing for years.
That somebody was able to manipulate millions of
internet-connected dumb devices, like surveillance cameras and
DVRs, possibly by getting into their automatic software updates or
simply by guessing the devices' default passwords. Once that
password is known — most are never changed, and some may even be
hard-coded so they can’t be — virtually all the devices of that
type can be accessed and turned into bots.
Then at a predetermined time, all the devices sent pings over
the internet to one of the largest address look-up sites. What’s a
look-up site? Whenever we surf to a website, our browser quickly
and invisibly connects to an address look-up site, known as a
domain name server, to convert what we typed in, say
www.ABCNews.com, into a long numeric address that is necessary to
route you to the right place. But when the botnet flooded the
address look-up site with data in what’s known as a distributed
denial of service (DDoS) attack, nobody else could get through to
it. Thus, when people tried to connect to some websites, nothing
happened. The websites themselves were fine, but users couldn’t get
to them.
Most people’s eyes glazed over when they read news stories last
week about something happening to the internet. One reason for that
reaction was that the news accounts were filled with terms like
"Domain Name System," "distributed denial of service" and "the
internet of things" or, even worse, their abbreviations: DNS, DDoS
and IoT. In this case, the IoT DDoS-ed the DNS.
Whatever was going on, it did not seem to affect our lives, or
if it did, only as a small annoyance. Should we have paid more
attention? I think so, and here is why:
There had been lots of these denial of service attacks before,
but this one and a few others recently took advantage of the
rapidly increasing number of insecure, dumb devices connected to
the internet. Experts estimate there will be 50 billion such
devices within five years, and few of them can ever be made secure.
With that many easily hacked devices out there, these denial of
service attacks could become frequent and common — especially after
the source code for a large botnet, called Mirai, was released
online a few days ago. Analysts say Mirai was used in last week’s
attack.
The other truly disturbing aspect of these new attacks was that
they went after the address look-up system, which is insecure and
vulnerable. Going after this Achilles’ heel of the internet works
to block traffic even if the websites have been made very secure
from hacking.
There has been a lot of conjecture about who was behind these
recent attacks and why.
One fear is that all these massive attacks have been a trial run
for something much larger, perhaps on Election Day — something that
would stop almost all internet traffic in the U.S. Before last
week’s attack, U.S. intelligence agencies accused Russia of a host
of cyberattacks targeting political operatives and organizations.
President Barack Obama was reportedly planning a response to those
attacks. So one theory is that this large attack on the U.S.
internet on Friday was a Russian shot across the bow, a reminder
that the U.S. is very vulnerable to an escalating cyberwar.
But experts say DDoS attacks, even huge, well-planned ones, are
not impossible for amateurs, and another theory is that it could
have even been done by online gamers who purportedly have used the
attacks to gain an advantage in competition. Separately, a hacking
group called New World Hackers claimed responsibility for the
attack online over the weekend, saying it did it to "test power,"
according to The Associated Press.
Whatever the answers turn out to be, these attacks prove that a
nation-state or other sophisticated group could launch a similar
attack on a larger scale and block large amounts of vital internet
traffic. Since much of our economy relies on internet connectivity,
the effect of such a major and sustained assault could be much more
than just a nuisance.
Almost 20 years ago, President Bill Clinton called on internet
companies to adopt a method to secure the DNS address look-up
system from attacks like these. Little was done. Maybe it is time
to think about doing it now.
While we are thinking about that, perhaps we should also think
seriously about securing those billions of dumb devices connected
to the internet. Otherwise, we might just rename it the internet of
insecure things.