Dyn DDoS Attack Shows IoT’s Inherent Security Weakness

| Analysis

Parts of the internet ground to a halt on Friday, October 21, when a group of hackers targeted Dyn with a distributed Denial of Service attack. The attack temporarily broke the path to many websites, including Twitter, and blocking similar attacks in the future will be a monumental task because the hackers used the internet-connected devices already in our homes.

server racks with open padlock for DDoS attack

IoT devices were center stage in Dyn DDoS attack

Distributed Denial of Service, or DDoS, uses thousands of online devices to overwhelm targeted servers with garbage data. Those can be computers, but in this case they were webcams and other Internet of Things devices in homes, offices, warehouses, and factories.

A common DDoS tactic is to target a specific website and overload it with more traffic than the servers can handle, taking the site down. In this case, the hackers launched a DDoS attack on Dyn’s DNS servers, so the system that tells your Web browser where to find the site you want to view went down.

The websites you wanted to visit were still running fine, but the DNS servers telling your browser where to find the sites were slow to respond or failed to respond. The end result was that websites appeared to be down while sitting idle waiting for page requests from browsers.

Dyn and DDoS

Dyn is one of the many companies that manages Domain Name Servers, which translate human-understandable URLs—like macobserver.com and apple.com—into the numeric IP addresses your Web browser needs to connect to the sites you visit. If those Domain Name Servers, or DNS, are offline, your browser is essentially shouting into an empty room and waiting for a response that won’t come.

Targeting Dyn was a clever move because instead of taking a single site offline, it blocked access to several sites. That cleverness came, however, at the expense of site owners who couldn’t get traffic during the attack.

A Russian group calling itself New World Hackers took credit for the attack initially saying it was a trial run for something much bigger. Later, NHW changed its story to say that while it was responsible for the Dyn DDoS attack and last December’s BBC DDoS attack, it was done and wouldn’t target any other servers.

The group made their announcement on Twitter, which is something of an ironic twist considering the social networking service was one of their intended targets. The group said, “This is an announcement to the public. We are done hacking and we have considered retirement…If any of you feel the need to just hack or DDOS something, it’s not worth it if you don’t have a good explanation.”

Announcing their retirement is little consolation considering there are countless other groups ready to pick up where New World Hackers left off. It’s also a problem because the group made it painfully clear how IoT devices can be exploited in DDoS attacks.

Next up: Dealing with Internet of Things security

8 Comments Add a comment

  1. If your toaster starts learning Russian…
    If your refrigerator joins an anarchy youth group…
    If your thermostat constantly insults twitter…

    REPORT IT!

    The website you save might be your own!

  2. NotTellingYou

    Some good info, though all available elsewhere, but why does an Apple focused web site, do an article about IoT security weakness, and not even make a passing reference to Apple’s HomeKit security and encryption? Apple has taken a lot of unwarranted abuse when it comes to HomeKit’s requirements with many a tech pundit taking Applr to task for their requirements which they see as slowing adoption and increasing cost. Well…and now you know!

  3. BurmaYank

    Good one, Lee! (Which plan did you vote for? – I voted for #5)

    – Only after years and years of firmware updates, (… ROM wasn’t fixed in a day.) 5%
    – Someone will just pull the plug on the Internet and reboot it!, (… how about leaving it unplugged and let everyone go outside for a couple of days?) 3%
    – Not with a bang but a whimper, 6%
    – With white hat malware, to target the malicious malware, 3%
    – With a well orchestrated campaign of blocking the sale of devices that can be compromised, and hunting down hijacked devices to destroying their capacity to attack DNS servers, (… too bad Samsung didn’t make them all, then they’d all just self destruct eventually!) 8%
    – I hate to say it, but it’s a game of cat and mouse that will never end,! 59%
    – I’m pinging the results. 12%

  4. Dave Hamilton

    @NotTellingYou: Some good info, though all available elsewhere, but why does an Apple-focused web site, do an article about IoT security weakness, and not even make a passing reference to Apple’s HomeKit security and encryption?

    Perhaps you missed the second page of this article where that part of this was covered?

  5. Which is where something like this comes in useful… developed to run on OpenWRT [but see website for more details].. , The Dowse is a mini firewall in effect – a small machine with two networks – not that dissimilar to one of these: but Smoothwall presently only runs on an Intel x86 platform. Most of the so-called secure IoT frameworks, hubs etc, are NOT secure, including the Philips Hue [see Abusing the Internet of Things, O’Reilly – mandatory reading IMHO]. Homekit got a better review here – simply because it has an approach that has security built in from the start.. Security is NOT an afterthought.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account