Cyber attacks just keep on coming, don’t they?
Perhaps the largest one of them all, currently, is the Dyn cyber attack.
The Dyn Cyber attack infected computers on a worldwide scale on October 21, 2016.
Hackers used the Dyn cyber attack to launch multiple DDoS attacks (Denial of Service attacks).
They targeted the popular Domain Name System (DNS) service provider Dyn by infecting its operating computer systems.
That caused several online services and internet platforms to go down and become unavailable to a huge number of users living in North America and Europe.
So who launched the attack?
We already know, of course, hackers.
But which hackers?
The group, or rather groups, who have taken the responsibility for the attack go by the name of New World Hackers and Anonymous.
So what does Dyn do that hacker deemed it so important?
Well, as mentioned before, Dyn is a DNS provider.
More specifically, it provides end-users many services.
One of them is the internet domain name mapping.
What is internet domain name mapping?
It is basically the process Dyn uses to connect specific internet domain names to their corresponding IP addresses.
When you put a domain name in your internet web browser, services like Dyn make sure that you connect to the right website which is hosted on another computer/server.
Hackers used a huge number of these DNS lookup requests to launch their distributed denial of service attack.
Some reports in the media indicate that hackers used DNS requests from over ten millions IP addresses and that’s just the lower estimate.
So how do hackers achieve such a huge DDoS attack on services such as Dyn?
Well, they all have different ways of achieving different objectives.
As far as the Dyn cyber attack is concerned, hackers used a botnet.
This botnet consisted of a mammoth number of online, internet-ready, devices.
What are these internet-connected devices?
They are devices like IP cameras, baby monitors, printers and residential gateways.
Hackers infected all these types of devices, millions in numbers, with their malware.
Earlier reports in the media indicated that hackers used the Mirai malware specifically to target Dyn.
Moreover, reports published in the media also say that the estimated load of 1.2 terabits per second is the biggest DDoS attack in the history of man.
Of course, hackers will beat this again as they have beaten all their previous records as the years go by.
So is someone doing something?
Media reports say that US officials are currently busy in investigating the multiple DDoS attacks.
As indicated earlier, the large DDoS attack spread a huge amount of chaos and disruption.
It disrupted normal online services on both sides of the Atlantic.
After hackers affected online networks and platforms on Friday, the Department of Homeland Security sprung into action and started its investigation into the latest DDoS attack.
This is what we know so far from reputed online sources such as The Guardian.
Which Services Did Dyn DDoS Attack Take Out?
Hackers shut down some of the most important websites and services we access on a daily basis.
These are the sites that hackers took offline for an extended period of time because of the DDoS attack,
- Fox News
The list of sites also included some of the most well-known news sources such as,
- Wall Street Journal
- The New York Times
- The Guardian
To make it crystal clear now, hackers only focused on the DNS service provider Dyn.
And the reason for that is simple:
Dyn is one of the biggest companies that operates/run the online domain name system.
The Dyn DDoS attack also affected technology giant such as Amazon.
Indeed, Amazon’s web services division experienced an outage that lasted many hours beginning on Friday morning.
As most of us already know, Amazon is no more just “The Everything Store”.
It is also the biggest cloud computing company in the world and by quite a margin.
So any attack that disrupts Amazon services, is a very dangerous attack since Amazon controls so much of the internet.
However, some experts believe that the attack on Dyn and the attack on Amazon are not connected to each other.
One of those experts is Doug Madory.
Midori is the director of Internet analysis at Dyn.
In a recent interview, he said the outage at Dyn and the outage at Amazon was probably not connected.
He also said that Dyn did provide services to Amazon but Amazon had a complex network.
And that makes it really hard for the experts who are investigating this attack to say with certainty that the Dyn attack also caused Amazon services to go down.
There was no way to be definitive about the causality of the Amazon shut down.
Dyn representatives also communicated to the media that the company did not become aware of the DDoS attack until 7 am ET on the day of Friday.
The company made an official statement on its website and said that the company began to monitor and mitigate the DDoS attack against the Dyn-managed DNS online infrastructure sometime after 7 am.
To its credit, the company did complete the job of sending updates throughout the Friday on which the attack happened.
Though these updates, we also know that hackers launched multiple DDoS attacks.
The company confirmed the second DDoS attack at noon.
After that, the third DDoS attack hit its target at around 4 pm.
DDoS Attacks And Their Increasing Numbers
DDoS attacks are no longer uncommon.
According to some experts, it is because hackers are getting smarter and more effective.
One of those experts is Brian Krebs.
Krebs is an independent security researcher.
About a month ago, Krebs observed that hackers had released the source code to launch the Mirai botnet.
This virtually guaranteed all of us one thing:
Botnet attacks will soon flood the internet.
Some of these new botnets will power themselves via devices such as,
- Digital video recorders
- Insecure routers
- IP cameras
- Many other devices that hackers find easy to hack.
What Is The Mirai Botnet?
The Mirai Botnet is nothing but a network of devices.
These devices aren’t your average everyday use devices.
All of the devices that are used in a botnet are infected.
They are infected with a malware that is self-propagating.
And no one is safe from these type of malware attacks.
Hackers who created this malware also attacked Krebs.
And that’s how we know that each one of us is vulnerable to Mirai malware attacks no matter how secure we think we are with our expensive piece of security software applications.
Mirai, in Japanese, Means The Future
At present, Mirai is just a malware.
But of a different kind.
This malware particular infects computer systems that run Linux.
It turns them into remote controlled bots.
Hackers can use these bots to form a part of the botnet.
Then, hackers use the botnet to launch large-scale online network cyberattacks.
Most of the time though, the malware targets online consumer devices.
As mentioned before, the most common types of hackable devices are,
- Home routers
- Remote cameras
Hackers Love Mirai Botnet
And that’s why they have used it to launch many other large-scale and massively disruptive Distributed Denial of Service attacks in the past.
On 20th September 2016, hackers launched another one of these DDoS attacks.
This time, as mentioned before, they targeted Brian Kreb’s official website.
Hackers carried out another DDoS attack on the French web host OVH.
And then there is the Dyn DDoS attack.
All attacks have one thing in common:
The Mirai malware.
Flashpoint, a cybersecurity firm, also attributed this DDoS attack to a malware which, they believe, is based on the source code for the Mirai malware.
In the late hours of Friday, Krebs came up with his own findings from his investigation.
He said that he had heard (separately) from one of this trusted sources that hackers had planned this attack.
Krebs said his source followed the activity for quite some time and knew, from many cybercriminal underground hotspots, that hackers indeed discussed a plan to attack the DNS provider Dyn.
As mentioned before, hackers infected Dyn with multiple DDoS attacks.
After the first attack, Dyn didn’t have much time in between to get on the second DDoS attack.
Hackers launched the second DDoS attack on Friday afternoon.
This second DDoS attack affected Dyn in a similar way to the first one.
It mainly caused outages that kept services out of order till the morning.
Dyn has also said that the company is still trying its best to determine, how the DDoS attacks led the company’s services to a state of a prolonged outage.
Scott Hilton, who is the executive vice-president at the firm, said that Dyn considered their customers as their first priority.
He also said that the company had spent the last several hours trying to restore performance to all its customers.
Gizmodo also reported the Dyn DDoS attack and wrote that the latest waves of DDoS attack seemed to affect vast regions in Europe and the West Coast of the United States of America.
It further said that the DDoS attack caused similar outages but it was unclear, so far, how the two cyber attacks were related to each other.
A leading penetration tester, Robert page (who also works at the Redscan security firm), said that the new cyber attack was interesting in one aspect that nobody had taken the responsibility of the attack.
Modern tools make it relatively easy for anyone to plan and execute large DDoS attacks.
And because of this, it is likely that the perpetrators of cyber attacks like these are mostly teenagers.
Teenagers who want to cause a bit of mischief and don’t have any other malicious intents like state-sponsored cyber attacks do.
But the Dyn DDoS attack is dangerous because it underlines a very important theme:
The vulnerability of the way the modern internet functions.
David Gibson, who works at Varonis (a commercial software security firm) said that it made sense why hackers would attack Dyn.
He said it was because of a technology known as the DNS.
In other words, DNS had become an aging technology and the industry did not have enough expertise to update it.
He further added the list of potential problems was long.
From one-factor authentication sessions (in other words, password-only security) to unencrypted web connections, there is just no one single vulnerability.
Gibson also believed that because of the old age of the technology, the stakes were higher than ever before.
Bruce Schneier, who is another security analyst, wrote a hugely popular essay titled Someone Is Learning How To Take Down The Internet.
In that essay, he said that hackers launched a series of significant DDoS attacks on major Internet infrastructure companies because they wanted to try and test these companies’ security systems for potential weaknesses.
He also said that he got the information from a confidential source and hence could not provide more details.
He also wrote in the essay that with that said, he needed to warn the general public of potential cyber attacks which could bring down further key internet infrastructure.
Moreover, he said, someone was actively and extensively testing internet companies for their core defensive capabilities.
Most of these internet companies belonged to the groups that provided cricket internet services.
Mirai Comes Into The Picture Once Again
Mirai infected devices are smart.
They are smart in the sense that they continuously scan the online world of the Internet for the IP addresses of other Internet of Things devices.
To infect devices, Mirari uses a table.
This table consists of subnet masks and Mirai does not infect them.
These subnet masks include addressed which are allocated to the Unites States Postal Service and Department of Defense along with some private networks.
Mirai then looks for IoT devices which are vulnerable.
It then identifies those devices.
Mirai does that via a table which contains the common factory default usernames along with passwords.
Then it logs into such devices.
After that, Mirai infects these IoT devices with its malware.
Mirai does not interrupt the normal operation of these IoT devices.
They continue to function appropriately.
If we ignore the occasional sluggishness then there is nothing wrong with devices that Mirai infects.
The only side-effect of having Maria on your device is that your device will consume more internet bandwidth.
We also know that these IoT cannot rid themselves of Mirai malware until they are rebooted.
To remove an IoT device’s Mirai malware, a user may turn off his/her device and turn it on again after waiting a short while.
There is a catch though.
If the user doesn’t change the login password right after the reboot then the Mirai malware will again infect the device.
After a reboot, a user may have a few minutes before he/she can change the safely change the password.
Hundreds of thousands of users around the world use IoT devices and don’t change the default settings.
This action of theirs makes their IoT device vulnerable to targeted cyber attacks.
Why do hackers use a large number of IoT devices?
The reason is simple:
They want to bypass anti-DDoS software.
The Anti-DDoS software keeps a close eye on IP addresses which make incoming requests.
It then filters some of them and blocks others if it catches any unusual traffic pattern.
Just to take an example:
If a specific IP address makes a ton of requests from a particular website, then the anti-DDoS software will block that IP address.
Another reason why hackers use millions of IoT devices is that they want to collect and organize more bandwidth.
Otherwise, small-time perpetrators of these cyber attacks would not be able to assemble this many IoT devices to launch effective DDoS attacks.
And if they, they will get caught.
Hence, they use millions of IoT devices which don’t belong to them and hence law enforcement authorities can’t trace them.