Recent distributed denial-of-service attacks using internet of things devices is more than a cautionary tale about insecure devices. It actually highlight flaws with the internet that have been known for decades, but always disregarded as somebody else’s problem.Business Security News, Cybersecurity // 04.11.2016
The way the internet’s been built, maintained and utilized has failed to create incentives for users to pay attention to their own security. From the end user’s point of view, many of the risks are externalized: if you can’t see it, it’s somebody else’s problem.
Users can connect whatever gadgets they want to the internet. They pay for access, and purchase the expectation that they’re entitled to connect everywhere by using whatever devices and applications they want. Telecommunication providers have unsuccessfully challenged this idea. But the general consensus appears to be that Net Neutrality – the hands-off approach – is the way to go. So telecommunications providers deliver all traffic to their recipients, regardless of how unwanted or toxic the payload might be.
Is this Internet traffic a problem for you? Deal with it, cause it’s not going away.
It is an odd testament to the robustness of the internet’s core that trash traffic created by millions of hijacked Internet of Things (IoT) devices can bring internet giants like Dyn, Amazon, Twitter, and Netflix to their knees. The core networks were fully capable of delivering all that attack traffic to their victims’ doorsteps. It was Dyn’s access networks and Amazon’s processing capability that gave in, not the internet.
This brings up a gloomy prospect for anyone wanting to set up an online business. The days when a startup with a beat-up server in a garage could make it big are long gone. As a content or e-commerce provider, you would need to have a huge network capacity and immense processing capabilities when you launch. Not in the expectation of becoming an overnight success, but to survive attacks from pranksters, criminals, or maybe even competitors.The insecurity of the internet, and the ease with which crooks launch DDoS attacks without the fear of being caught, means that you start big or you don’t start at all. The internet is not the great equalizer it once was.
And the bad news isn’t over yet. Isn’t it strange that we still don’t know who commands all those hijacked devices and issues attack commands and target lists to botnets? You can transfer huge sums of money with the internet, or force millions of routers to shout and scan the world in search of freshly connected vulnerable devices without anyone having a clue who you are or what you’re up to. And for some reason, people never seem to learn their lesson when things go badly for them on the internet.
The 90’s had Missed Opportunities
An internet standard was drafted back in the 90’s to address a topical problem at the time: seemingly anonymous denial of service attacks that stymied efforts to identify and block the true attack sources. The attackers exploited the fact that they can use the internet to forge – spoof – their source addresses. Spoofing addresses to make it harder for defenders to tell where attack traffic actually comes from is still a routine practice for attackers.
Some years ago, another devilish invention from the 90’s became popular among the DDoSing underground: the use of amplifying reflectors. This tactic was first publicly documented by AusCERT in 1999 when high-capacity DNS servers were misused to drown hapless victims with incoming traffic. Lately, the same attack method has been used to exploit pretty much all stateless internet protocols, including but not limited to NTP (clock synchronization), SSDP (trust me, your connected TV is the reason we need this) and ICMP (think of “ping”).
Responsible internet engineers have suggested ways to overcome these apparent design flaws in the internet. They suggested that ISPs start exercising “address hygiene”: discarding traffic with a spoofed address belonging to another network. In the year 2000, that suggestion was promoted as a “Best Current Practice”, something that any respectable network carrier should adopt. The recommendation was updated in 2004 as networks continued to grow in both size and complexity. The next year, Finland adopted the recommendations as part of their national legislation, making it mandatory for telecommunication providers to exercise address hygiene. Only a year earlier, Finnish ISPs adopted DNS configurations that made using reflectors next to impossible in their networks. But was that the end of this story?
I wouldn’t be writing this if that were the case. The rest of the world apparently has yet to follow the example set by Finland.
This is because ISPs have typically not been highly motivated to proactively defend their customers from risks posed by online threats. As long as their infrastructure survives the attack, ISPs are happy to accept all the stones, sticks, and plastic bags their customers throw at them, and deliver malicious cargo to the attackers’ victim-du-jour. And their customers are unlikely to stop buying cheap IoT devices and plug them in. After all, there’s nothing on the horizon that looks like it’s stopping that trend.
And here come the Regulations
The industry should have seen this coming: crash the internet enough times and the government authorities will step in.
In the US, the Federal Trade Commission (FTC) stepped up their efforts in protecting consumer rights by name-calling and punishing manufacturers of insecure devices and software. Oracle was forced to help people uninstall their insecure Java runtime software. Asus was forced to admit they haven’t put any effort in securing their routers, and now have to subject their wares to third party security audits for the next twenty (20!) years. The FTC also single out the IoT industry in a blog post, and issued a warning to them.
European regulators have been slower to move, but the European Union Commission is now contemplating its options. The DDoS attack on Dyn only served to strengthen their resolve in getting new regulations in place.
If the IoT industry loves regulation, they should keep up their mediocre work. Otherwise, it’s time to course correct, and start making security a priority!
[Image by Erica Firment | Flickr]