On Friday, huge swaths of the internet went either offline or was severely throttled through a massive Distributed Denial of Service (DDoS) attack on an unprecedented scale. While the information security experts work on forensically examining the attack to fully analyze it, here are a few inchoate thoughts about what this could represent:
This is the future InfoSec types have known for years that, at a fundamental level, the World Wide Web is either impossible or incredibly difficult to secure. Hackers and security researchers have discovered this and are locked into a highly technical arms race to figure out how to exploit and patch new vulnerabilities as they crop up. The structure of the web rests on servers that tell computers how to associate a domain name (such as joshuafoust.com) with a server IP address; the attack on Friday shut down a whole network of those servers, called Domain Name Servers, or DNS. And there were hints for a while that “someone” was probing the defenses of DNS and “backbone” services that make up the foundation of the internet. They found a weakness this time, and will find more in the future.
- It could have been a lot worse. The DNS that was targeted on Friday, Dyn, serves primarily news and tech websites, and it focused on the East Coast of the United States. It did not focus on, say, energy companies on the Gulf Coast (which would massively disrupt energy markets) or financial companies in New York. It did not target any government service, and it did not target television or radio broadcasters. This probably caused a few hundred million dollars’ worth of lost income, but the actual substantial damage will be relatively light.
- Attribution will be key. As the forensics researchers try to figure out who launched this attack, their identity will take on significant meaning. There are whispers about a state (like Russia or China) being behind it; or even a few states working together. It could also be a collective (such as people acting on behalf of Anonymous or LulzSec), or a loner who found a neat attack vector and wanted to see what would happen. But each of those groups carries with it a dramatically different response, ranging from “probably nothing” in the case of a lone scripter up to “full-spectrum counterattack” if it is a state like Russia.
- **Your Smart Home Is a Threat. **So far it looks like the massive attack came from compromised internet appliances like DVRs and CCTV cameras. These are part of a class of device called Internet of Things, or IoT: “smart” gadgets like lightbulbs, thermostats, refrigerators, picture frames, TVs, and so on, that are connected to the internet. Because they are manufactured to be easy to set up and use quickly, they are manufactured with very weak security. On average, an IoT device is compromised within six minutes of being connected to the internet. That means all of your smart home appliances are probably infected with malware and waiting to be deployed in a future botnet.
- Manufacturers Will not Help. Supply chains aren’t quite what you think. That smart lightbulb that was built by a European company and sold in the U.S. is actually made up of cheap internals manufactured at massive scale in somewhere like China (just like how Foxconn really builds your iPhone, not Apple). Friday’s DDoS attack was vectored through one of those Chinese subcomponent manufacturers, XiongMai Technologies, because they build cheap devices with an unfixable security hole (technical details here). There is no real way to address this sort of behavior without a substantial set of laws and regulations — moves which are resisted fiercely by the industry because of how they drive up costs and probably won’t fix the problem anyway.
- **Liability Isn’t Very Meaningful Here. **In theory, a chain of liability could be built into how IoT devices are secured: if a company sells products with defective security in place, they could be sued (which would establish monetary pressure to create more secure devices later on). But it’s not that straightforward, in part because of the subcomponent market, and in part because of the fundamental nature of connected components. Products ship with a default username and password; they have to, in order to be usable by a normal person (there are other schemes that might work, like manufacturing unique product keys the way Microsoft does with Windows, but again those are very expensive and given how easy it is to “crack” those product keys it probably wouldn’t work anyway). Reasonable people using devices reasonably cannot require technical expertise, such as making firewall exceptions or fiddling with port numbers, so any real market for these devices cannot have very strict security requirements. Don’t expect help from the government, either: from a legal perspective, requiring more security poses all kinds of unintended consequences, from inflexible standards to vague language about what “secure” means. So there probably won’t ever be a way to litigate standards, even if there might be a market for more expensive products that tout security as one of their luxury features.
- This Will Happen Again. Unlike normal computing devices like tablets, phones, and computers, there is no straightforward way to upgrade the software on an IoT device. Most of the devices already built and shipped simply don’t have that ability — and if they do, because of how insecure they are already, they can be further compromised anyway. That means that there are thousands, possibly millions of IoT devices sitting on the Internet waiting to be deployed in future DDoS attacks. Short of literally pulling the plug on everything built and shipped before a certain date (or issuing mandatory product recalls), there is no real fix for it. So plan on seeing your services taken offline again and again until more fundamental security is able to come online, and until the older, insecure devices break and need replacement.
That’s my first run of thoughts. What else do you have to add?