Authored by Casper Manes
Considering the magnitude of the recent DDoS attack on Dyn, that almost brought down the internet, all sysadmins must take action to prevent their devices from taking part in future attacks.
As many of you might have noticed, at least from the news headlines, a few weeks ago there was a huge internet outage that impacted availability of dozens of major sites, including popular ones like Twitter, Reddit, CNN, the Guardian, and many others. This was a result from a devastatingly simple attack on one of the main providers of core services underpinning of the Internet.
Dyn, one of the major providers of DNS services on the Internet, with customers ranging from end users to some of the most recognizable names on the web, experienced what may prove to be the largest Distributed Denial of Service (DDoS) attack in history, with a reported attack strength of 1.2Tbps. While Dyn was the target, potentially millions of people were victims. Unfortunately, many of those victims were also unwitting accomplices in the attack.
What really happened?
I called the attack simple, because at its heart, a DDoS attack is simple. To execute such a Denial of Service attack, you simply need to overwhelm the target with so many requests that it is unable to service valid ones. When the target has more computing resources than you can attack with, you need to leverage others in a distributed fashion, causing a DDoS. DDoS attacks are nothing new, but this particular one has several features that make it an historic event.
We all know how critical a high performing and responsive DNS is for all users of the Internet. By attacking one of the core providers of DNS services, the attack rendered dozens of marquee brands inaccessible, including Amazon, Netflix, PayPal, Spotify, and more, with an untold number of smaller sites. Odds are pretty good that many you use at least one of those companies on a regular basis, and if you are on the East Coast of the United States, you probably felt the impact of the first wave. There were as many as three coordinated attacks, with the second having more global impact and the third being successfully defended against.
Who were the attackers?
Several different groups have either claimed responsibility, been accused, or at least didn't deny allegations for responsibility, but we want to look at the participating nodes in the attack, rather than the mastermind who coordinated them. Because not only was the target new and high impact, but the method of attack was too. DDoS attacks are nothing new, but this attack leveraged the Mirai botnet, one of the many pieces of malware out there infecting untold numbers of systems. But in this case, based on the logs Dyn collected, we can tell that the number is at least 100,000 malicious nodes. The attack was compounded by legitimate DNS clients retrying their queries, and that number rose into the tens of millions.
What makes Mirai particularly unique is that it can compromise any number of devices, typically associated with the Internet of Things, to make them unwitting zombies and participants in a DDoS attack. Whether these are webcams, DVRs, programmable thermostats, temperature or light sensors, or any other IoT devices, they are all running a stripped down and optimized version of Linux which is built for simplicity of setup, not security. And when a user downloads an infected file and the Mirai malware executes, it scans the local network for devices it can recognize and attack, using known vulnerabilities and default passwords. Once it is in, that cool IoT device is now a zombie just waiting for orders to attack.
What's new about this?
The scale of this attack, and the fact that it used devices we're normally not taking care of, makes it a real wake-up call for IT administrators, but also for various IoT device users in general. Think not only about the flaws in your patch management strategy at work, but more about the complete lack of patch management strategies that exist at the homes of most, if not all your coworkers, friends, and family.
Do they run vulnerability scans regularly? Manage and deploy patches to all nodes under their control? Run web filtering software or setup home firewalls so compromised devices cannot hit the Internet directly? Of course not! And that's why Mirai was able to leverage so many hosts in its DDoS. It grabbed the low hanging fruit that we have all ignored, and we've only seen the tip of the iceberg here.
What can we do?
While defending against a DDoS may be beyond the capabilities and capacities of many of us, we can at least ensure that we are not contributing to the problem, so here's a list of things all of us can do to help.
Everyone, even at home, can do these first two:
- Ensure we keep all our devices; computers, mobile devices, tablets, network hardware, IoT devices, and anything else that is network capable, patched and up to date;
- ALWAYS change the default passwords on EVERY device that has a network connection, even when it is a home use device on an internal network;
And at work, you can do even more:
- Set up outbound egress filters at work to ensure that only devices which need to directly connect to the Internet can do so;
- If you provide DNS services internally, then no other devices but your DNS servers should need to directly make DNS queries to external servers;
- Web filtering is great way to protect users from downloading malware or executing malicious scripts, which is how Mirai started, and keeping an eye on your web traffic with tools such as GFI WebMonitor is also a good way to make sure your network is not taking part in anything shady;
- End users don't need to ping external hosts, but make sure your admins can, and that you allow ICMP internally;
- Consider whether your end users really do need admin rights on their workstations, since there's very little malware can do executing with regular user privileges;
- Use vulnerability scanning software such as GFI LanGuard on all your systems regularly, to ensure you don't have any vulnerable devices in the network you're managing;
- I mentioned it above, but for companies this is much more important: use patch management software to keep all your systems are up to date, for both operating system and third party application needs.
Keep in mind that while Mirai took out Dyn for hours by leveraging vulnerable devices with default configurations, it first got to those devices as malware executed on unguarded and unpatched workstations. With hundreds of thousands of systems hammering Dyn, most of us probably felt the impact of that attack, but never thought that we could be a part of the attack.
So, it's in all of our best interests to help make sure we're not a part of the problem, by patching everything that needs to be patched, and by preventing our devices from becoming an integral part of such attacks. Next time you angrily dismiss a Windows Update notification, remember these words.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.