Yesterday I had problems accessing Twitter.
I know, I’ll get over it, but in the meantime realising what caused the access issue served to highlight a vulnerability built into part of the internet’s technical design.
The problem is.. well… us humans! We can’t remember numbers that well, and yet every computer and every website on the internet has a unique numeric address, called an IP address. For example, the web server that you are connected to in order to read this post currently has the IP address:
If you copy and paste that numeric IP address into a web browser, you would arrive back here! So you just remember that address and the vulnerability disappears.
But you won’t remember it, and neither will I. Indeed, I had to go and remind myself what the IP address was to post it in this article – and I was the person who set this web server up!
No, the fact is that you typed in ‘lansley.com’ into your web browser to get here (or your blog aggregator application did).
What happened then is that your web browser went to a Domain Name Service (DNS) server – one usually (but not always) being run by your Internet Service Provider.
DNS servers act much like electronic telephone directories: Look up the person’s name and you get back their telephone number.
The DNS server received the text ‘lansley.com’ from your web browser and looked it up in its database. If it didn’t find it then it would call an upstream DNS server and ask it if it knew, and so on until one of the DNS servers did know, and so returned 18.104.22.168 to your web browser.
Finally, your web browser went to that IP address and found this site.
The problem is the Domain Name Service (DNS) itself: If these servers are exposed to a Distributed Denial of Service (DDos) attack then your web browser may not be able to receive the numeric IP address back and so doesn’t know where to go. That’s what happened with Twitter and me yesterday.
The problem was the result of an attack on Dyn, an Internet infrastructure company that provides DNS services to the web. It’s also why the USA’s Department of Homeland Security set off an immediate investigation about what happened and what to do about it.
One interesting twist in this story is that anecdotal evidence has uncovered that, now Windows, Mac and Linux computers are pretty well protected these days, Internet of Things devices such as Digital Video recorders, home CCTV cameras and other ‘smart’ devices are being targetted for their vulnerabilities.
For example, if you have a home CCTV camera that sends images to your smartphone when you’re away, it has to have internet access to do so – and could be exploited for any weaknesses in its architecture. Such a camera is more than just a camera, it’s a small completely self-contained embedded computer.
Most IoT devices use miniature Linux-based computers to perform their work since Linux can be as small as a complete computer on a single silicon chip – called ‘embedded Linux‘. It’s easy to get hold of such chips to see if you can hack them, and challenging for them to be patched without a firmware update.
Of course, manufacturers will work to improve security just like the work that has happened on desktop operating systems. Alas, the cat and mouse game continues.
Cyber security expert Brian Krebs wrote in his blog:
At first, it was unclear who or what was behind the attack on Dyn. But over the past few hours, at least one computer security firm has come out saying the attack involved Mirai, the same malware strain that was used in the record 620 Gpbs attack on my site last month. At the end September 2016, the hacker responsible for creating the Mirai malware released the source code for it, effectively letting anyone build their own attack army using Mirai.
Mirai scours the Web for IoT devices protected by little more than factory-default usernames and passwords, and then enlists the devices in attacks that hurl junk traffic at an online target until it can no longer accommodate legitimate visitors or users.
According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.
“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.
However, I would like to see Internet Service Providers doing more to detect and block devices using their broadband networks that are acting in this way. DDoS patterns are plainly detectable on their networks? More on this soon…
This article also appeared in Mobile Marketing as ‘Internet of Stings’ at http://mobilemarketingmagazine.com/lansley_iot_threat/