The Dyn & Mirai Horror Show: The Weaponization of DDoS using Botnets
What Those 70s Shows Tell Us About the DDoS Threat
Back when I was a kid in the 1970s (sorry, I’m aging myself), a major component of the very limited lineup on network television was the variety show. As you can tell from the name, these shows featured a variety of different acts, including music, stand-up comedy, and dance routines. Just like the success of Survivor and American Idol in the 1990s spawned a profusion of reality shows of different stripes, the seventies had a huge glut of variety shows that were trying to repeat the success of top-performing shows hosted by Carol Burnett and Sonny & Cher.
Every celebrity seemed to get a variety show, and of course most didn’t last. I remember watching the premiere of the very short-lived variety show hosted by Wolfman Jack, a New York DJ famous for his signature wolf howl (he did it like seven times on the show). It was quite something to watch poor Wolfman attempt to sashay around the stage and “sing” the opening number in his growly voice. Another prime example of the variety-show gold rush was the Donny & Marie show. It featured the brother-sister pop duo Donny and Marie Osmond, who hailed from the Osmond entertainment family; every week they would faithfully sing “I’m a little bit country, I’m a little bit rock-n-roll.” Donny & Marie were very clean entertainers, kind of to an extreme. In fact, the show was so sickly sweet that even by the standards of the day, it was a bit nauseating.
By now you may be asking yourself: other than a very tenuous naming parallel, what do Donny & Marie have to do with DDoS attacks such as the one launched against Dyn by a botnet assembled with Mirai malware? Let me explain…
Security companies and experts have been warning for years of a perilous lack of security in IoT devices, which has created a bonanza (ha — another classic television reference) for botnet malware like Bashlight and Mirai. Over the last couple of years, the footprint of botnet malware has grown dramatically and attacks have been getting far stronger, such as the Terabit+ attack on OVH not long ago. Outside of the usual security crowd, however, this phenomenon hasn’t garnered much sustained attention, because to most people the concept of IoT botnet attacks still seemed too abstract.
Now, however, with Netflix, Amazon, and PayPal going down — and hundreds of millions of e-commerce dollars lost — everybody is sitting up and paying attention, giving attackers a bonafide hit. But this is no fun variety show. It’s a full-on horror show, which by the way, is one of the more profitable and copied segments in movie-making these days. Now that it’s apparent that neglect of basic security has created so many Internet vulnerabilities, we can expect attackers to be like producers rushing to emulate hit shows. Unless the industry chooses to act, we’ll see “successful” incidents like the Dyn attack replicated with stomach-churning frequency.
Flashpoint did a very nice after-action analysis of the attack on Dyn. Their conclusion? It’s unlikely that the attack was politically motivated or launched by a nation-state, primarily because Dyn is not a political target and also the same infrastructure used in the Dyn attack was used to launch an attack against a gaming company. The Flashpoint assessment is that this was the type of attack that typically originates with the Hackforums community, which is where attackers offer their services on a commercial basis. That possibly makes the attack something that was done simply to show what’s possible. In other words, a demo.
A similar view was put forward by security expert Bruce Scheier, though he adds that the Dyn attack bears some similarity to the kinds of probing that some major nation-states use to assess vulnerabilities in Internet infrastructure.
So if this was just a “demonstration,” what would the fully functional death star look like when it gets going? We know for sure that it’s not going to be pretty.
DDoS attacks often utilize botnets, consisting of thousands of compromised hosts that can be told to boo, throw fruit, or whatever vector the attackers decide upon. Of course, the owners of those hosts typically don’t know that they’re participants in a show. IoT has made it much, much easier to harness these unwitting extras. Just look at the username-password dictionaries that Mirai uses. Shipping products with default usernames and passwords — or even hard-coded passwords — is beyond negligent. At this point IoT manufacturers have created a fifth column by deploying armies of ready-to-activate clones into the heart of the digital economy.
Another notable aspect of the Dyn attack is that it was absolutely seen by ISPs but those ISPs had very little incentive to act. During the attack, we were live with customers who could observe spikes of DNS traffic going out-of or through their networks but saw no reason to do anything about it. That’s partly because the attack was more like water torture than a massive, all-at-once flood, and partly because the volume of bandwidth consumed by the traffic was trivial in the context of each individual ISP. While that reasoning may be understandable, there is certainly a case to be made that more collaboration within the Internet infrastructure industry could be very helpful in combating the scourge of DDoS.
The Dyn & Mirai Show was frighteningly bad. So how do we get it canceled? Once again it comes back to a willingness on the part of the Internet and IoT industries to take the threat seriously and police themselves accordingly. Kentik CEO Avi Freedman has written about the need for internet Infrastructure players to utilize long-established BCP-38 techniques to prevent IP address spoofing. That will prevent attackers from lurking so easily in the shadows. A related suggestion by Avi, reported recently in the San Diego Union-Tribune, is to establish an industry-wide label of assurance. “What’s needed,” he says, “is highly-visible, Underwriters Laboratory or Consumer Reports-style ratings of the cybersecurity of devices.”
It’s clear that if we want to deal effectively with the coming onslaught of IoT-based attacks, the Internet and IoT industries will have to stop being passive spectators to the destruction, instead working actively to raise the standard for security hygiene. The real threat to the digital economy and even society at large is now apparent. It’s time for a new action series that stars the industry fighting back.