Anatomy of a DDoS Attack

Friday morning October 21, 2016 didn’t get off to a good start for me. Shortly before 9 am EDT I was attempting to make an online purchase using PayPal as my payment processor of choice. When I clicked the “Submit” link (the button graphic wasn’t displaying), my browser spun its wheels for a few seconds and then tossed up the dreaded 404 “server not found” error page. My first thought was that PayPal was undergoing a DDoS attack. It made sense considering all the shenanigans that have been going on lately around the US Presidential election. This just seemed like an escalation in the fun and games. It wasn’t until I did some Googling that I began to get a sense of the full scope of this particular attack.I began reading that not only was PayPal down, but several other major sites such as Twitter, Etsy, Netflix, Reddit, and Spotify were also affected. Further digging revealed that Dyn, a major provider of managed DNS services was the target. That explained why a cluster of sites was taken down all at once. Pretty clever to hit the DNS service provider they all had in common.Around 9:20 am EDT, Dyn reported that it had successfully mitigated the attack and the affected sites were back up and ready for business. Great! I was finally able to get my online order processed. Turns out we all celebrated a bit prematurely, including Dyn. Another wave of attacks flared up around 11:50 am EDT and before the day was out, a third wave would be unleashed. What struck me as unusual was the lack of media coverage on the attacks as they were occurring. There was nothing on cable news until late afternoon and the online news sites were just as tardy. The first news release with any degree of detail was published by gizmodo.com not too long after the attack commenced. The Gizmodo article has a complete list of affected sites. It’s an impressive and frightening list.It was clear from the outset that this was no run of the mill DDoS attack, but something much more sophisticated and of an enormous scale. During the remainder of the day, I checked Dyn’s status site for updates on the progress of the attack and their success or lack thereof, in mitigating it. Since then, a more detailed accounting of the attack has emerged from multiple sources. The most comprehensive one I’ve found is from Brian Krebs of KrebsOnSecurity.com fame. Much of what follows regarding details of the attack is from an article on his site.It should be noted that prior to last Friday’s attack, the largest DDoS attack on record in terms of shear throughput was an attack, ironically, on Brian Krebs’s own server which clocked in at a staggering 620 Gbps. The one on Friday smashed that old record at almost twice the rate at 1.2 terabits per second! In order to achieve that type of bandwidth a massive number of compromised devices, otherwise known as “zombies,” spewing out enormous gobs of data is required. An army made up of these zombies is referred to as a “botnet.”Up until rather recently, botnets were constructed out of compromised PCs and laptops. There’s plenty of malware available to turn your home computer into a zombie and enslave it within a botnet. The zombies can then be remotely “woken up” at a time of their master’s choosing and commanded to direct their junk traffic upon an unsuspecting host. What made last Friday’s attack different is that the botnet, or possibly botnets, was/were comprised of what has become known as the “Internet of Things” devices or IoT for short.These are everything from webcams, DVRs, streaming video boxes, electronic thermostats, and even baby monitors. The devices in the botnet from last Friday’s attack consisted of IP cameras and DVRs manufactured by a Chinese company called XiongMai Technologies. It has been determined that these devices were infected by a strain of malware called “Mirai.” This is the same malware involved in the attack on Krebs’s server. The source code for Mirai was publicly released by its creator back in September. Another thing that made last Friday’s attack extra special is that the number of infected devices was in the tens of millions.The weakness in these Chinese-made IoT devices besides most users not bothering to change the default admin login and password or even aware that it’s possible, is the login credentials for the telnet service and secure shell (ssh) are hardcoded in their firmware to use defaults. Mirai and other malware exploit this vulnerability. The malware then propagates itself by scanning the internet looking for other XiongMai Technologies devices to infect. There is a ton of them out there.After the attack was over a hacking collective which refers to itself as New World Hackers claimed responsibility on Twitter for initiating the attack. Sort of ironic considering Twitter.com was one of the sites taken down by their attack. They went on to claim that they didn’t launch the attack to attract federal agents. They just wanted to take their botnet out for a test drive and check its power. Mission accomplished, I suppose.The group has claimed responsibility for other attacks such as the ones against ESPN.com and the BBC. It seems the group has an international makeup with members located in Russia, China, England, India and possibly other countries. They didn’t make any demands on the targets of their attack and stated that their only demand was “Secure your website and get better servers, otherwise be attacked again.”These hackers may portray themselves as white hatters doing ethical hacking, but they’re far from the accepted definition of ethical hackers. Any pentester or ethical hacker worth his or her salt knows that you first must do no harm. If you've taken any of Cybrary's Pentesting or Ethical Hacking courses, you'd know this is a core principle. It means coordinating all testing and exploitation attempts during off-peak hours and to also alert IT staff and other stakeholders prior to conducting any testing. Seems the New World Hackers neglected this minor detail. Thanks, but no thanks, guys.If nothing else, this attack is a grim reminder of how vulnerable this wonderful, but flawed thing we call the internet truly is. Back when the internet was just a twinkle in Al Gore’s eye, the goal was to provide an isolated and highly-distributed data communications network for secure use by the DoD. All joshing aside, we’ve gone in the other direction, evidenced by the consolidation of many key service providers. Case in point is Dyn’s acquisition of a competitor not too long ago. Putting all your eggs in one basket makes for some major heartache when that basket is toppled over. We’re also setting ourselves up for a major disaster by the aggressive pursuit of extremely cheap, commoditized products, mostly made in China, such as the compromised IoT devices in this latest DDoS attack.Finally, this event exposes the appalling lack of security awareness not only on the part of consumers, but also on the part of manufacturers and government agencies entrusted to monitor the security of data and infrastructure. It wasn’t all that long ago that our biggest fear regarding the internet was running out of IP addresses in anticipation of things like IP cameras and Wi-Fi toasters. Fortunately, technologies like NAT and IPv6 came along to save the day, but to what end? Without a vigilant approach to cybersecurity, we will no longer be able to have nice things, let alone make a simple online purchase.