Massive DDoS attack spotlights internet choke point
Friday's mass DDoS attack against a DNS provider spotlights a long-standing weakness in how traffic moves across the internet.
Internet services were interrupted several times Friday following a mass DDoS attack that caused disruptions of Netflix, Twitter, Spotify, SoundCloud, GitHub and Reddit, to name a few.
Both the Department of Homeland Security and the Federal Bureau of Investigation are looking into the attack, officials told Reuters. Much is unknown, but right now experts says the DDoS attack primarily hit Boston-based DNS provider Dyn.
Carl Herberger, vice president of security solutions at Radware, believes the attack was actually directed at one or more of Dyn’s customers, which in turn impacted Dyn and cascaded down to interrupt service for customers.
"Because of the way that the internet is built, that means that anybody that was resolving their domain name and was using Dyn DNS as an Authoritative DNS server, then they became instantly unavailable on the internet," Herberger said.
Basically, there were fewer intended targets, but collaterally the hosting provider went down, which caused cascading damage to other companies.
Of those impacted by the DDoS attack, "the only common thread is it's all kind of Netflix and Chill type stuff," said Dimitri Sirota, CEO of BigID. "Taking down SoundCloud and Spotify and [a few] shopping sites, I don't know who's going to be impacted, especially on a Friday."
A single point of failure
DNS providers are essentially soft targets because of the number of companies that rely on them and the very nature of their service makes them hard to secure.
"This is a great place where people can attack — a single point of failure on the internet — and it can take down a lot of companies," Herberger said. "They have to receive users who they don't know, because that's the way the system works. They can't really judge the validity of these users very easily."
An Authoritative DNS manages domain names, availability and resiliency. The service is also lower-cost, feature-rich and typically more secure.
There are only a few core service providers in terms of market share -- numbering in the 10s, not the the hundreds. "They resolve most of the world's company's IP addresses," Herberger said. "This is just the way things work today."
DNS providers have worked to innovate, developing tech to improve both performance and security. But, in turn, the sophistication of DDoS attacks have increased, both in terms of frequency and volume, according to Sirota.
The rise of these attacks was likely, particularly because of the ROI. By automating the process using bots, DDoS attacks take very little effort but can cause companies significant damage, particularly to reputations.
A SecureWorks underground hacking market analysis from earlier this year found weeklong DDoS attacks cost the attacker between $200 and $555. But those organizations suffering an attack? They could lose $100,000 or more per hour in a peak-time DDoS related outage, according to a Neustar survey.
DDoS attacks can also be difficult to defend against, because humans are tasked with fighting "automated and botted" attacks, according to Herberger.
"Humans will never catch this, at this moment. They're not fast enough," Herberger said. "By the time they figure out what happened, it's already done and gone. What really has to happen, is the protection's really have to become automated."
The Dyn DDoS attack comes at a time when security sensitivity is heightened because of concerns over election cybersecurity. Experts will investigate the attack in the days and weeks to come, particularly looking for a thread that connects the Dyn attack to other incidents.
The big question hovering over the incident, is why go after a DNS provider that supports sites popular with millennials, according to Sirota. "People aren't just trying to make millennials life a little bit hard. There must be some alternative."
DDoS attacks can serve as cover for other malicious actions. It is also possible that the attack was an experiment used to test a new mode of attack.
"Is the intention to just try out a new way of hijacking unattended devices, like TV monitors and turn them into zombies that drive traffic? Is the intention to use the attack as a distraction so that these companies like Shopify aren't necessarily paying attention to other parts of their infrastructure? It's hard to say," Sirota said.
With such a massive attack, companies will likely start paying more attention to their DNS providers, to ensure those organizations have resiliency plans in place. Right now, there is no standard checklist for suppliers to articulate what levels of security they meet.
"People are starting to see how fragile really a lot of these conveniences that we've come to know and love are," Herberger said. "A lot of these security concerns are very valid and it's playing out."
DNS providers traditionally operate on very low margins and offer a commoditized service, where people don’t spend a lot of money. Because of that, people tend to not check into security, focusing at most on what’s in the service level agreements companies sign with the providers.
To prevent against this, someone has to ensure that protections are put in place. For example, the government could mandate certain critical infrastructure protections be kept in place to make sure the internet keeps up and running, according to Herberger.
Follow Naomi Eide on Twitter