On October 21th, several online services such as Twitter, AirBnB or Spotify were unavailable for a few hours, which threw the Internet ecosystem into a panic. This large scale disruption is the result of a massive DDoS attack (Distributed Denial of Service) on the infrastructures of a DNS services provider, Dyn.
Several articles explaining this attack and its direct consequences, with more or less details and in a more or less technical way, are already available. But what are the consequences of the feasibility of such an attack on cybersecurity in the long term?
A secure and decentralized Internet? Not that much…
The Internet being originally decentralized, an attack should not be able to reach all of the world park. Even if one can imagine the fall of the Internet, it remains hard to believe. Yet, the DDoS attack on Dyn shows that there are some weak points that can impact large parts of the Internet.
And in the era of virtualization and massive increase in the use of Public Clouds, the Internet’s decentralization is a less and less recognized fact. We tend to gather our information systems (architecture, services, data) in the massive infrastructure great actors such as AWS or Microsoft… which are now a single target with the potential to reach thousands of systems in one shot.
This trend is not bad as such, it gives way to technological advances such as the serverless method, and simplifies the administration of information systems. However, it requires an adaptation of the security of these information system, at a time where attacks themselves evolve more and more quickly.
Hacking: more imagination, more targets
Until now, DDoS were mainly made using the method of UDP IP spoofing, which consists in usurping the target’s IP adress to send a request, from it, to a third-party website. The targeted website then receives the result of this request, but with a x10 to x100 lever. For each 1 Mbps of packets sent by the pirate’s machines using its target’s adress, the latter thus receives 100 to 1000 Mbps of network traffic.
The pirates who attacked Dyn used another modus operandi, for which finding a solution, a hypothetical one, is very complex. Rather than usurping IP addresses, they used the machines themselves. After getting a list of connected objects (by scanning all of the Internet, “0/0”), they used the Mirai malware to turn them into “zombie machines” (and create a “botnet”). Once this is done, there is no way back: the machine is docile, and the requests are considered as “legitimate” since they are sent by a real machine, with its own IP. It is thus even less complicated to spot them beforehand.
An attack of this scale is a novelty in the cybersecurity field, but the method itself is a “new” factor! However, connected objects are not the only huge machine parks that can be used as a botnet… In 2016, according to Gartner, 5.5 billion connected objects will be used. But at the end of 2014, there already were 7 billion mobile subscriptions in the world, which represents 96% of the world population! And in 2019, almost 9.2 billion phones could be connected. And contrary to many connected objects, the phones move around with their owners… Which would make, for instance, the propagation of a worm through Wi-Fi relatively easy.
If pirates can create a botnet of mobile phones, the size of it could increase exponentially… It seems like a nightmare scenario, yet it is only a not-that-unlikely example of attack! Hacker can be very imaginative and are not necessarily scared of setting up large scale attacks. The risks are thus very real.
Cybersecurity: a (too) slow evolution of mentalities
The best option to protect oneself against this kind of attack is the optimal protection, beforehand, of all online accounts and machines connected to the Internet. Most of the connected objects used by Mirai were so because they shared the same password, defined by the manufacturer and not changed by the users. Cybersecurity now becomes a public concern worldwide, and the mentality of both users and providers are moving in the right direction. However, the global protection level is still far too low compared to the risks we are exposed to, which change quickly.
Today, we all know we have to protect our phones, computers and accounts with different passwords which need to be changed regularly, to beware of malevolent emails, etc. Despite this awareness, all people do not follow these rules, even on critical accounts. This lack of reactivity from users can also be seen when software updates are concerned. It is not uncommon to find machines that are still vulnerable to an old security flaw, even years after the patch was released. Users have no excuse for not doing these simple protection actions.
However, even if numerous tools are more and more accessible, these users are quickly discouraged when a technical action, that they don’t necessarily understand, is requested to add a protection layer.
The protection of users is thus, for a large part, the responsability of manufacturers and providers. Sometimes, it doesn’t take a lot to improve the security of the products, and such actions could have a great impact on the Web’s global security. For instance, rather than defining the same password on all its products, a manufacturer could plan a random password generation based on the MAC address of each of them. It would limit the risks of massive hacking, even if the user forgets to change the password.
Website security is everyone’s concern!
Attacks similar to this massive DDoS, even if they are still unusual, will not remain exceptional for ever. The average size of denial of service attacks has been increasing since their inception, and it’s not going to stop now… Bruce Schneier, a renowned specialist in cybersecurity, even worries that someone might be scanning the weak points of the Internet to make it fall!
International, inter-provider decisions and agreements will probably be required in the future to adapt to these evolutions. Meanwhile, everyone of us has to be watchful… We advise companies to study the need and feasibility of a cybersecurity policy outside of the Internet. Remember: you can’t be too careful!
Source : Philippe Humeau