On Friday, Oct. 21, millions of Internet users trying to
access popular websites including Twitter, Netflix, the New York Times, and Wired
suddenly saw them stop working.
The reason was that for a few hours, a massive
distributed-denial-of-service (DDOS) attack hit a domain-name-server (DNS)
company called Dyn, based in New Hampshire. As I mentioned in last week's blog, DNS companies provide a
sort of phone-book service that turns URLs such as www.google.com into machine-readable
addresses that connect the person requesting a website to the server that hosts
it. They are a particularly
vulnerable part of the Internet, because one DNS unit can handle requests for
thousands of websites, so if you take that DNS machine down, you've
automatically damaged all those websites as long as the DNS is out of service.
DDOS attacks are nothing new, but the Oct. 21 attack was
the largest yet to use primarily Internet-of-Things (IoT) devices in its
"botnet" of infected devices.
The Internet of Things is the proliferation of small sensors, monitors,
and other devices less fancy than a standard computer that are connected to the
Internet for various purposes.
Here's where the zombie cameras come in. Say you buy an inexpensive security
camera for your home and get it talking to your wireless connection. If you're like millions of other buyers
of such devices, you don't bother to change the default password or otherwise
enhance the security features that would prevent unauthorized access to the
device, like you might do if you bought a new laptop computer. Security experts have known for some
time about a new type of malware called Mirai that takes over poorly protected
always-on IoT devices such as security cameras and DVRs. When the evil genius who sent out the
Mirai malware sends a signal to the infected gizmos, they all start spouting
requests to the targeted DNS server, which immediately gets buried in requests
and can't respond to anybody. That
is what a DDOS attack is.
As the victim learns the nature of the requests,
programmers can mount a defense, but skillful attackers can foil these defenses
too, for a time, anyway. The
attackers went away after three attacks that day, each lasting a couple of
hours, but by then the damage had been done. The attacks made significant dents in the revenue streams of
a number of companies. And perhaps
most importantly, we learned from experience that the much-ballyhooed Internet
of Things has a dark side. The
question now is, what should we do about it?
Sen. Mark Warner, a Democrat from Virginia, has
reportedly sent letters to the FCC and other relevant Federal agencies asking
that same question. According to a
report on the website Computerworld,
Warner has a background in the telecomm industry and recognizes that government
regulation may not be the best answer.
For one thing, Internet technology can change so fast that by the time a
legislative or administrative process finally produces a regulation, it can be
outmoded even before it's put into action. Warner thinks that the IoT industries should develop some
kind of seal of security approval or rating system that consumers could use to
compare prospective IoT devices before they buy.
This may get somewhere, and then again it may not. The reason is that an IoT device that
can be used in a DDOS attack but otherwise functions normally as far as the
consumer is concerned, is a classic case of what economists call an
"externality."
A more familiar type of externality is air-pollution
abatement devices on cars:
catalytic converters, the diesel exhaust fluid that truckdrivers now
have to buy, and all that stuff.
None of it makes your car run better; in fact, cars can get better
mileage or performance if they don't
have that anti-pollution stuff working, as Volkswagen knew when it purposely
disabled the anti-pollution function on some of its diesel models and turned it
on only to pass government inspections.
The pollution your car would cause without anti-pollution equipment is an
externality. The additional pollution that your car
causes is so small that you won't notice it. Only when you add up the contributions of the millions of
cars in a city does it become a problem.
But if you don't have anti-pollution stuff on your car, you're adding a
tiny bit to the air pollution that everybody in your city has to breathe. It's that involuntary aspect, the fact
that other people are put at a disadvantage because of your action (or
inaction), that makes it an externality.
The vulnerability of IoT devices to being used in DDOS
attacks is an externality of a similar kind. When you buy and install a security camera, or rent a DVR
from your cable company, and they don't have enough security software installed
to prevent them from being used in a DDOS attack, you're raising the risk of
such an attack for everybody on the Internet. And they don't have a choice in the matter.
Historically, externality problems such as air and water
pollution have been resolved only when the government gets involved at some
level. When the externality problems
are strictly local, sometimes local political pressures can resolve the issue,
but the Internet is by its nature a global thing, in the main, although for
reasons that are not entirely clear, the Oct. 21 attacks affected mainly East
Coast users. So my guess is that
to fix this issue, we are going to have to have national or international
governmental cooperation to set some rules and fix minimum standards for IoT
devices regarding this specific problem.
The solutions are not that hard technically: things like attaching a unique username
and password to each IoT device and designing them to receive security
updates. These measures are
already in place for conventional computers, and as IoT devices get more
sophisticated, the additional cost of these security measures will decline to
the point that it will be a no-brainer, I hope.
But right now there's millions of the gizmos out there
that are still vulnerable, and it would be very hard to get rid of them by any
means other than waiting for them to break or get replaced by new ones. So we have created a serious security
problem that somebody, somewhere has figured out how to take advantage of. Let's hope that the Oct. 21 attack was
the last big one of this kind. But
right now that's all it is—just a hope.
Sources: I referred to the article " What
We Know About Friday’s Massive East Coast Internet Outage" by Lily Hay
Newman of Wired at https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/,
and the article "After DDOS attack, senator seeks industry-led security
standards for IoT devices" by Mark Hamblen at http://www.computerworld.com/article/3136650/security/after-ddos-attack-senator-seeks-industry-led-security-standards-for-iot-devices.html. I also referred to the Wikipedia
articles on "externality" and "Mirai" (which means
"future" in Japanese).