So it started with Brian Krebs and now DynDNS, where will it end and will it ever end? What am I talking about? Well, massive surges of traffic targeted at these site are blocking legitimate traffic from getting there. A Distributed Denial of Service attack or DDoS.
What is the number of the beast
With security journalist and researcher Brian Krebs, it is estimated that his attack was believed to have been between 360 – 620 Gb per second.
With DynDNS, their managed DNS service was also a target, this time by 10s of millions of IP addresses.
For those who have been following the tech news will know that the attack has not been done by a person sending traffic out themselves, instead they have written some code which then finds certain devices on the internet which it can then use as part of a collective to then launch an attack. The command and control servers at a given time contact these devices and say “send this packet of information to this IP address” and off they all go.
With Brian Krebs, the estimated 145,000 devices involved are believed to have been IP Cameras and DVRs – in other words (and rather ironically) security cameras and as above, DynDNS by millions of those internet connected devices.
Thanks to MalwareTechBlog for this video.
I didn’t do that!
The outcome of both of these were that service was stopped from these organisation, Krebs’ website was unreachable and from DynDNS, well, that issue was bigger – they look after other organisations routing, the pathways to their websites. As a result, Reddit, Twitter and other major organisations were sucked up in to the same incident.
A bit of a history lesson and some geography.
To connect two computers together, you connect them using a cable.
To connect two companies together all those computers at company A go through a router which connects to company B’s router.
To connect two countries together, we need Internet Service Providers (ISPs) to handle all the connections through datacentres to connect to each other using fibre optic cables, and yes some of these are also under the sea.
This means that the world is so beautifully connected that I can sit on a beach on the other side of the world:
- use my phone to connect to the local Wi-FI hotspot,
- which goes out through a router to an ISP,
- which goes across a deep-sea cable to somewhere in the UK,
- onto the fibre backbone of the UK,
- to my local access point (nearest for me is Manchester),
- convert onto smaller fibre,
- routed to the local telephone exchange,
- down some more fibre to the end of my road
- onto copper cable, through the hole in the wall
- to my router at home
- over wi-fi to my IP security camera
And I can see nearly live footage of someone at home.
Ah shucks!
But what if that traffic went the other way?
What if a criminal takes control of my camera and does this:
- send maximum data outbound from my camera (5Mb/s)
- through my router
- over the fibre
- through the ISP
- through the fibre backbone of the UK
- over the deep-sea cables
- to the US
- onto the local landing point
- to the fibre backbone of the US
- to the local access point of DynDNS
If we factor that this path was just my device… Add in 1,000s of devices from the UK adding to 100,000’s of devices from Europe, joining traffic from elsewhere in the world giving the massive traffic flows that hit DynDNS and Krebs.
Carriers and their place
So the fibre backbones and the deep-sea cables that I spoke about, they have their own ISPs (not actual ISPs but a similar concept). They are responsible for those cables, the physical elements and the routing of the traffic.
Who’s going to save us now?
Well this is the important bit for me. It is on their networks that they see the aggregated data collection. If you look at my local connection … 9Mbps is nothing.
Literally a mere blip in a very noisy graph of data usage and therefore is going to be hard to identify as unusual traffic. However, 1 Gbps going to a unique place on the internet should flag up as unusual routing. At that point right there, some kind of network engineer should be looking at that data and saying “this doesn’t look right!” If you then consider the landing point in the US, the network engineers there must have seen over 100 Gbps coming through their network aimed at a specific location. This is going to cause the carrier a wealth of problems, from stress on the network, network degradation, slow-down potentially – up-time issues and so I am surprised that the traffic was not mitigated earlier by a carrier.
Will the real target please stand up
Let us now move away from these stories and consider a slightly different target … thirteen of them to be accurate.
If you take what DynDNS do, which is to look after the routing of the traffic for certain companies and organisations, who looks after the routing for the internet? The answer is Root Servers, and there are 13 of them. Let us now consider the volume of traffic that would be required to flood the incoming connections to 13 unique servers around the world.
In 2002 … October 19th to October 21st (co-incidence maybe?!) four of those 13 servers were knocked offline by a 100 Mbps attack.
An analogy
Let me do a DDoS on your house. You live on a main road and your parents are coming over today. So the delivery guys have been coming to your house and the food – all legitimate visitors to your location. Then I come along with 1000 motorbikes and hold a protest on your road, or I run a Pokemon Go strange station alert on Facebook and now there are 1000s of visitors to your location. Your road is fully saturated.
I don’t even need to do it at your house, I could do it on the surrounding roads so no-one can get to your road not your parents, not the emergency services and you also won’t be able to get out either. It’ll be a very quiet day!
Superman to the rescue
In infosec, we talk about working out what is normal and what is not normal behaviour. In networking terms 600Gbps is not normal if aimed at one location. Not when you consider that each person in that 600 Gbps is asking the same question of the host from random locations in the world.
I think that what we need to consider is a greater responsibility from the Carriers to detect identical packets coming from multiple locations with a single (or specific) target in mind. These packets could be analysed to identify that they are a DDoS and the data should then be sinkholed.
Why hasn’t this happened before
It has … 2002 was a 900Mbps attack … These ‘Smurf’ attacks happened (cue spooky music) October 19th – 21st 2002. Co-incidence? Maybe I should have given the tinfoil hats out earlier!
Not all common sense is common
It would make sense that this type of service should occur but then there is to add the financial elements to this. These carriers make money by passing packets of data over their network and therefore lose money when they don’t. A carrier could implement this sinkholing of DDoS traffic for the greater good, it would cost them money to set up, monitor etc and could lead to a better internet as a whole. But it is unlikely that it would be implemented if genuine packets got caught up and the privacy people get their way. After all, every packet on the internet would have to be inspected. But it could stop internet issues further down the line, especially as DDoS attacks are getting stronger and easier to put into place.
My conclusion
I think that we are seeing the start of the end. These two DDoS attacks were able to cause significant issues on the internet even thought they weren’t attacking the core internet.
The root cause is inherently insecure internet-enabled devices that are now becoming more and more ubiquitous. This is the new playground of the criminal.
The criminals have worked out a way to find vulnerable, hard-to-patch devices to flood key targets with enough traffic to overwhelm targets.
There is no easy fix, as most of those internet-enabled devices are not easily patched and updated and so this problem will persist.
Carriers are one of the few parties on the internet with the technology and availability to help protect the internet.
It has been talked about for a number of years that someone could hit the main root servers and disrupt the internet. It could happen. Is it going to happen – well remains to be seen, but I do think that someone out there, apart from me, is thinking about it and for their own criminal gains.
Leave a Reply