Do IoT Botnet DDoS Attacks Threaten The Internet?
The following is an edited transcript of an internal Panda Strike Slack discussion, in which we assess implications of the recent IoT-based DDoS attack and conclude that we need to drink delicious beer.
Dan So the Internets are freaking out today about how people’s toasters have become an attack vector. Take this Tweet as a fairly representative example:
In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.— Jeff Jarmoc 🐉🔥 (@jjarmoc) October 22, 2016
Humor aside, isn’t this a bit alarmist? After all, the problem was an attack on a specific DNS provider, not the Internet itself, and only those companies using that DNS provider were affected directly.
Michael The most notable element of this attack is its origin. Typically, DDoS attacks are done through a ton of computers that hackers hijack and use to barrage websites. But this time, Dyn officials say it wasn’t computers — it was “tens of millions” of Internet-connected things, like CCTV cameras, DVRs and routers.
I expect to see IoT devices displace Windows machines as the most desirable DDoS zombies. It’s just too freakin’ easy to pwn poorly secured embedded Linux devices. And the tools for doing so are already automated and widely available today.
(Which is one of the reasons I don’t own any off-the-shelf home-automation devices.)
Dan Sure. That’s all absolutely true, but it also seems like a bit of a two-step from the fact that Dyn screwed up. Here’s another Tweet that illustrates my point:
Dyn, by the way, is a VC-backed company selling performance management solutions, whatever that means. The real question is what were companies like Netflix and Twitter doing handing over a critical piece of infrastructure to a minor league player like dyn in the first place? Not to mention why did they not have a secondary?
Lance The DNS issue came across to me as laziness for the big profitable companies in question which were affected. They have the money to do this right.
Dan Maybe they could raid some talent from Pornhub:
Robb, help us out here: why in the world would a major player like Twitter or Netflix use Dyn? Is this some kind hipster thing?
Robb I don’t perceive it that way. I am curious — what would you do otherwise? If I was starting something today, and was using AWS or GCP, I’d use their DNS infrastructure top-to-bottom. In light of the Dyn thing, I’d take a look at a means to slave zones from one provider to the other.
For what it’s worth, I’ve used Dyn in the past and it was fine. But, if I was big like Twitter, Netflix, et. al. I don’t know why you’d do that since DNS is a cornerstone to your product/service.
So I don’t think I’ve got a satisfying answer to your question. It’s part inertia, part laziness, I suppose.
Dan That just seems crazy to me. There’s no technical advantage to using Dyn? They’ve raised an awful lot of VC and they managed to get these big players to rely on them.
Robb One answer might be here:
AXFR support would allow zones to be replicated using BIND.
Dan I find the addiction to BIND hilarious, but, that’s another story. I can see that as a plausible answer.
Robb Dyn has been around a long time… it’s possible that a lot of orgs had been using it in their infancy. I’m not defending its use, but presenting semi-plausible explanations for why its use is as widespread as it is.
Dan Prior to a few years ago, it appears to have been a pretty small operation. But you’re right, I’m making an assumption here that they signed companies like Twitter and Netflix after raising all that VC money.
Would you need to replicate DNS across AZs in Route53 to get true high-availability?
Robb No. The AWS DNS infrastructure is spread around the globe. AZs really have nothing to do with it.
Dan So why are people concerned about replicating within Route53?
Robb Eggs in one basket. If somehow, all of AWS’ Route53 infrastructure was under attack, it’d be nice to have some other NS servers answering for your zones.
Dan Like Pornhub did. The problem with the eggs-in-one-basket argument is that the sites that were affected had all their eggs in one basket. It’s just that it was the Dyn DNS basket.
Robb, sorry to put you in the position of Dyn apologist. Let’s go back to the original question. I was saying that the apocalyptic headlines were alarmist and Mike said they weren’t.
Michael I don’t think it’s alarmist at all to assume that IoT devices will be the next great playground for distributed attacks. A few reasons:
Ordinary folks don’t know how to secure their home networks.
Commodity hardware platforms, including IoT devices themselves, as well as off the shelf routers, firewalls, and so on, provided by Internet providers and Best Buy, are an easier target than custom solutions because a vulnerability in a commodity solution like LG TVs means all LG TVs are vulnerable.
Once an IoT device is compromised and zombied, most consumers will be forced to buy a new TV/Nest/fridge as they (and Geek Squad) won’t know how to fix the pwned appliance.
Most folks will also be unaware their Nest has been compromised until their ISP suspends their Internet service for botting, or worse, until their house is robbed by the people sniffing their Nest data to find out when they aren’t home.
None of the scenarios I have described above are sophisticated attacks. They will all be part of the metasploit script-kiddie-deluxe package in the near future. Which means an army of morons will soon be messing with your GE smart lights.
I’ve seen demos of such at Def Con already, at least 2 years ago. Since then, hundreds of IoT startups have brought new products to market, and true to form, nobody is securing anything properly because they don’t know how (except Google — Nest is actually pretty secure). There is a huge unfulfilled demand for security expertise out there. Maybe we should chase that car?
Dan Selling infosec is like being a dentist. Everyone needs to go, to but no one wants to. Anyway, what has all this got to do with this particular attack? Is it just that it demonstrates the potential of using IoT for botnets? I mean, this attack was preventable, either by Dyn doing their job better or by simply using other DNS providers. Is this really an exploit of IoT or just Dyn doing a masterful job of changing the subject?
Michael Those aren’t mutually exclusive. Dyn is its own incident, but there will be many more IoT-based DDoS attacks in the future. Someone had to be the first. That was this week.
Just because I’m paranoid doesn’t mean the toasters aren’t after us.
Dan I hope you’re wrong. Because meanwhile, back at the ranch…
Robb I want to talk about beer now. Can we talk about beer? Because this is delicious, and I think we all could use a drink.
Ed: We’re not getting paid to endorse Deschutes. Robb just really likes it.