The Dark Night

Stuart Fuller

Friday night was a bad night in the Fuller household. My wife was out with her friends; I was home with my two teenage daughters. Nothing unusual about that, but as we know today, teenagers cannot survive without access to the Internet.

“Dad, the Internet is broken. Can you fix it?” was the first sign that this wasn’t going to be the quiet evening of writing I had hoped for. I’d been aware of the major issues affecting several brands’ online presence that day, but my daughters had just emerged from their homework and were none the wiser. They wanted to enjoy their evening online, chatting to friends (via numerous, concurrent social media apps), shopping and watching films – and woe betide anyone who should stand in their way.

I offered an explanation as to why they couldn’t spend my money at a variety of online stores, use apps such as Instagram or Twitter, listen to music via Spotify or watch a number of unsuitable US dramas on Netflix. This was a Defcon 2 event, which was soon upgraded to Defcon 1 when my youngest rang my wife on her night out and told her that “Dad’s turned the Internet off” and that she should come home.

The girls survived, of course, finding a whole host of new websites to visit that were working; still managing to spend my money, plus a bit more for the inconvenience caused. But in their relatively young lives where the Internet had always been ‘on’, this was pretty much a first. Although we had had service interruptions locally, or the failure of network devices, this incident was one of the most serious that had ever hit the Internet.

Of course, you can’t actually tell where the Internet starts or finishes, nor the network topology that links networks to networks, countries to countries, continents to continents. But if you understand how the World Wide Web functions, with the distribution of servers that host the website content, then potentially you can disrupt the everyday patterns of traffic. In a nutshell, this is what happened on what will be forever known in our household as the “Dark Night”.

The cause of the issue that saw some of the world’s most popular websites unreachable to many users was a Distributed Denial of Service, or DDoS, attack. The Domain Name System (DNS) works as a distributed network across the globe, routing Internet traffic to the right place through a series of IP look-ups. Every website needs to use a DNS provider (large firms will create and manage their own DNS in many instances) which essentially acts as a gatekeeper and a travel guide for requests to access the website. They keep information on the location of the website servers and route traffic accordingly. DNS networks can be as simple (one location; one address) or complex (multiple locations around the world that route traffic to the nearest server to improve web page response times) as you desire. The more complex they are, in theory, the more resilient and secure they are.

A DDoS attack aims to take a website, or a group of websites, offline by flooding the webserver with Internet traffic. If enough concurrent requests are sent to a specific location, unless there is a layer of filtering applied, the web server will simply throw its virtual hands up and walk off in a digital strop. Internet users will experience the ‘wheel of death’ whilst waiting for the website to respond, before getting a “this server cannot be reached” message. DDoS attacks aren’t rare – in fact there are several websites you can visit that show in almost real time where the attacks are happening in the world. But big DDoS attacks are rare – they take a huge amount of resources and planning.

This particular attack wasn’t pinpointed to one particular brand or web server, but at a particular DNS network run by an organization called Dyn. Dyn provide DNS services for some of the world’s biggest brands, and so when the attack first hit, because of the origins and destinations of the tidal waves of data, it overloaded parts of its network. As with a number of other major DNS networks, DNS used a technology called Anycast, which allowed them to spread traffic across 18 points of presence across the globe. However, the sheer scale of the attack, initially focused at the US East Coast but later spreading globally, was of an unparalleled nature. The websites of the brands were essentially unaffected, but the traffic wasn’t able to flow through the DNS network to reach the servers.

According to a news article from the BBC, the party (or parties) behind the attack used not only traditional slaved PCs but also other Internet-connected devices such as CCTV cameras and printers. The Internet of Things became The Internet of Stings for a few hours. Security firm Flashpoint confirmed that the attack used ‘botnets’ − devices connected to the Internet that had become infected with the Mirai malware − whilst another expert suggested that many of the devices used in the attack had unencrypted, easy-to-discover passwords that allowed the Mirai malware program to find them online and essentially take control of them. Millions of infected devices would have been used in this instance, with users unaware that their devices were enlisted in the cyber-attack.

So, is this an issue for the DNS and Internet infrastructure companies to deal with, or something that major brands need to take control of? A bit of both really. Dyn would have constantly load-tested its own network in preparation for such eventualities, so the magnitude of the issue will undoubtedly cause them and other similar providers to re-assess their detection and mitigating mechanisms. Brands that have built their business models around the Internet should also re-assess their DNS provisions and ask themselves questions as to whether they’re using a solution that could mitigate against such attacks. Using solutions such as Neustar’s UltraDNS provides the highest level of protection against DDoS; for NetNames customers, this is used in conjunction with our own DNS infrastructure to give an additional layer of protection.

The third element here is a lesson for us all. The sheer number of connected devices was a major contributing factor in the impact of the DDoS attack. Be part of the solution rather than the problem. Ensure that any device that has Internet connectivity has a secure password that isn’t shared across multiple devices. Always make sure your anti-virus and malware scanning software is kept up to date and, above all, be wary of downloading any software or visiting any websites that may put you and your Internet device at danger of downloading malicious software or malware.

The final word on the incident, for now, comes from the head of security for Salesforce.com − one of the biggest online applications used by companies big and small − who suggested more needed to be done to beef up the security of our Internet infrastructure: “In a relatively short time, we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.”