For those active in cyber security the Friday (21/10/2017) Distributed Denial of Service attack on Dyn did not come as a surprise. Many of us use a statement; the question is not what if but when.
Dyn got attacked by a botnet of Internet of Things devices, IP cameras, webcams, etc… The majority of these devices have poor security features, that in combination with a default out of the box installation makes them prone for attack. And since IoT devices are in the majority of the cases always on, it means you can use or abuse them at any given moment in time.
(H)activist organisations expressed already multiple times to bring down the Internet. Though, the recent attacks KrebsOnSecurity, OVH or even BBC may well be from another botnet and perhaps not related. However, there is an ongoing trend, since 2016 the over 10 Gbps DDOS attacks are on the rise (according to Verisign report) combined with an increase on UDP flood, more specifically DNS traffic. The DNS root servers suffered attacks, and the most recent was not even a year ago. We hit the record earlier this year with a 665 Gbps and now it seems we’ve reached 1 Tbps, which many predicted to be possible after the 665 Gbps limit was reached.
Who is learning to break the internet and bring it on its knees?
The easy answer, the usual suspects. But I’d doubt it will be an easy answer…
How did we get here?
The tragedy of the commons is an economic theory of a situation within a shared-resource system where individual users acting independently according to their own self-interest behave contrary to the common good of all users by depleting that resource through their collective action. (wikipedia)
The Internet can be considered a shared-resource, and we use and act all according to our own self-interest. And since it is our own individual responsibility to keep our systems malware/botnet free, to reconfigure devices when we hook them up to the web, to keep them updated etc… And if we don’t, we might damage the common good.
However, we’ve come at a stage where we hook up toasters with zero security on to the Internet. Those that make the chips (no pun intended) for these have no financial incentive to provide updates, their goal is to create a new one, release it and sell it. Those that manufacturer the cheap chips into a product as requested by the brand name have no responsibility to whatsoever with the updates. And the brand releasing the product makes at best an interface that you as a user can use. They do not care about the underlying technology. And at the end of the chain there is us, hooking them up to a network and create the weapon of the future. We can fly to the moon and back and bring people back at earth in all safety, but we fail to protect the Internet from a toaster…
Protection, will be at all layers, it is a shared responsibility, from the manufacturer to the end-user. From the back bone provider till the home user. And preferably at the beginning of the chain so that costs remain acceptable, integrating security at the end is in the majority of the cases more expensive.
Unfortunately, there is no simple answer, no simple solution, it requires cooperation and responsibility from each and everyone of us…