Danger and Security - Virtual Arms Race

What's wrong with us

_{The location of the infected devices found that participated in the Mirai. Illustration of Imperva Incapsula .}

The essence of this reality is that opposing processes, competition or war always take place in the world. Now cyberterrorism has reached a new level associated with the use of the rapidly developing Internet of things.

Creation of threats and dangers to information, against data security and the normal functioning of the network. The last example is the attack that took place on the Dyn website, which has affected not only the provider company itself, but also all its clients. Among them are the most popular platforms and services across the entire network: Amazon, Twitter, GitHub, Heroku, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud, The New York Times, Starbucks, HBO, CNN, Basecamp, PayPal, Etsy. This list is far from complete. More than 75 participants got into it: Internet platforms of news resources, financial organizations, service providers, social networks, websites of development companies. Approximate losses are equal to $ 110 million - for one day. No one, for the time being, can reliably name the causes of the attack, and representatives of the FBI (USA) have already joined the investigation. The event is beyond the scope of administration, to the "federal" level. All who have suffered will restore their reputation. It became clear that no one was as reliable as it seemed until recently.

The cyber-arms race has probably been happening since the very concept of the network. The “successful” examples are discussed by the entire planet; nobody knows about the unsuccessful ones, except for the authors. The last example showed vulnerabilities in the protection of large sites from the TOP-20 across the Internet. What exactly was the cause and who exactly is responsible - always difficult questions. In any case, it is, as always, a confrontation in order to demonstrate superiority . When secrets appear, there are those who want to delve into them. Or vice versa. In the situation of the Internet, the struggle goes between cybersecurity and cybercriminals. If there were no threats, then protection would not be necessary. Scrap - scrap.
')

Krebs and open source

If you look at the essence of the issue, we will see that the DDoS attack itself is a very simple action. To the understanding of this is added the fact that the malicious code has become open and available for study by anyone just before the attack. An analyst at Dyn in his blog wondered how the fact that the publicity of the code would affect the company. The answer came very quickly. It was completely easy to use open source for a new powerful attack. What kind of Kevin Mitnick and his ingenious algorithms, including social ones. These are just directed requests. About them and cybersecurity in general, writes a lot of journalist Brian Krebs, who himself was the first to suffer from a new word in the field of cyber terrorism - the botnet of things Mirai. His site was attacked about a month ago, as they wrote on GT.



The provider Akamai fought the attack until it became necessary to choose the security of all other clients. The main difference between a major attack from the previous ones was that the requests were data packets without amplification. The full story can be recalled at Hiktaims .

After the “attack” on the site of Brian Krebs, a similar attack with a capacity twice as large was recorded - this time the site of the French company OVH suffered. The code of the botnet aggressor around the same time laid out in open access.

Historical background for lovers

They started complaining about the first DDoS attacks back in 1996. However, widespread attention to the problem arose only at the end of 1999, when almost simultaneously the web services of the world's largest corporations (Amazon, Yahoo, CNN, eBay, E-Trade, and others) were disabled. Taking urgent measures to solve the problem began only in December 2000, when the impacts on the servers of key corporations were again made.

A curious analog story about a technique akin to DoS attacks

An interesting example of the ancestor of DDoS attacks was the so-called polka Sykkiyarvi . In 1941, the USSR left the bombs in Vyborg. The radio was activated with a frequency of every five minutes for 15 seconds, and the bomb exploded under the condition of playing a strictly defined melody. The Finns were able to neutralize the charges due to the fact that they continuously broadcast the Polka Sykkiyarvi and with this jammed any other signal.

Now back again in our time.

How it was

Dyn is a major domain name provider. Most well-known Internet platforms work with it. According to the company's specialists, the first attack began at about 7 am, October 21. Most of the East Coast sites were unavailable. Already by 9:30 problems were eliminated. But not for long. The second wave of attack came at 11:52. The third is at about 17 pm.

While the investigation is being conducted by researchers and the government at the official level, the public is introduced to new facts and details. Dan Drew, head of security at Level 3 Communications, said they identified attacks coming from a large number of different locations. And they are sure that the already famous Mirai botnet is involved in these actions.

In Ars Technica added to this:

“A botnet consisting of devices such as WiFi routers and video cameras connected to the Internet sends a massive number of requests to the Dyn servers. At first glance, requests look like legitimate, so it was difficult for Dyn to distinguish them from normal, normal user requests. Earlier in October, the Mirai botnet code was publicly opened. He and another Bashlight botnet exploded BusyBox’s vulnerability. ”

The attacks inserted random lines of text in front of domain names, making them, as it were, new, completely legitimate inquiries to the addresses of domain systems. Caching results to speed up responses is not possible due to random prefixes.

The complete attack history is described in English by the New York Times .

It seems that what happened on Friday is akin to something biblical. Something like a warning that you can never consider yourself too cool and omnipotent. Dyn management says that “the price of freedom is eternal vigilance.”

Have the robots already risen?

The question relates to the fact that the source of the attacks was established - a variety of “smart devices”. From baby monitors to CCTV cameras and routers, digital video recorders. Accurate data from the research department of Flashpoint says that the botnet’s army consists of IP cameras and DVR devices produced by XiongMai Technologies, a Chinese company. Manufactured parts are sold by a huge stream of vendors - it is difficult to establish a specific customer. However, it is symbolic that Chinese devices attacked US servers.

Causes of attacks

The power of DDoS attacks is increasing. Do you remember, yes? First Krebs (attack 612 Gb / s), later OHY and now Dyn (attack at 1Tb / s). This happens along with the use of unprotected and infected devices from the Internet of things connected to the global network. Huge quantities of fake requests are addressed to a specific server or set of servers and they become unavailable because they cannot cope with requests or simply because the network or server does not have enough power to process them.

More from here :

“Custom attacks on competitors in order to reduce profits and degrade the image. There is a way in which companies do not improve their positions directly, but worsen the condition of competitors by achieving a goal, despite all the dishonesty. Although who can give statistics that it would be cheaper: pay for powerful DDoS attacks or invest in their development. Attacks are probably cheaper, faster, and thus easier. Once paid - reputation is restored for a long time. Whether it's a matter of thinking, investing, developing ... - it's a long time. ”

The availability of hacking tools also plays a significant role in the processes described. Everything that is open can be used. This is easier than giving an idea and writing your own.

Human nature does evil

No matter how pathetic it sounded - this is not to take away. Starting from the first DDoS attacks, commercial companies like Amazon suffered first of all. So it is possible to find an eternal question among the reasons: “Why does someone smash the glass and unscrew the light bulb at the entrance?”. Yes, because they just can do it and want. So with attacks. Simply, there are 1 and 0. There are those who invent the Internet, but there are those who harm with its help for the sake of harm. The history constantly repeats, and force - increases.

If all the evidence leads to the Russians, then it’s definitely not them.

It is quite logical, only if you do not assume that if hackers use the message that they will not be suspected, and they are so stupid and left many traces that directly point to them. And they did it intentionally, in addition to also cast a shadow on someone. Assumptions about what happened on Friday wave cyberterror confused.

Reputable security experts are pushing their versions. Who can stand behind the attacks: hackers from China, Russia, Iran, North Korea? Supported by the government or independent? Investigations continue to be conducted by Dyn company specialists, and by the state, and scientists.

Lesson learned?

The things connected to the Internet are not protected at all (not taking into account the factory password and login). And things that have suffered from an attack once, are no longer suitable. If no one will specifically repair and disconnect them from the Internet. But this will not happen, too many of them. Nevertheless, the trend is that the Internet of things will grow steadily.

No short domain names and centralization

Many believe that you need to introduce standards and things. Perhaps this issue is worth raising at meetings of the custodians of the Internet.

True, it is unlikely that all manufacturers of gadgets connected to the Internet will release so many firmware and keep them constantly, simply because of the low probability of being one of the "attackers".

How fragile are the DNS systems. There was a lack of backups for websites and companies that rely on outsourcing providers. CTO at Intel Security Steve Grobman expressed the fear that "this could happen again because of the success of the previous attempt." Of course, it will and will be more interesting and / or more powerful. He says that “trust in cloud services in connection security may be redundant. We must choose the basic, privileged providers who can be trusted with backups and other security measures in the fight against such attacks. ”

Most services should aim for higher TTL values. The day is not so much and it is necessary to keep old IP requests, in any case, within 24 hours due to the cache, which does not take into account the TTL value. In this case, the services will not depend on what happens to the state of the central domain. In this way, DNS providers will get out of sight of the attackers.

Loss of traffic is equal to loss of profit. In the case of an attack, there should always be immediate crawl routes. If nothing is taken from the cardinal measures, then the forecast is one - the attacks will be stronger and more often.

Internet is too unsafe things

It turns out that the Internet of things is a fashionable topic that is constantly being discussed. In reality, it does not have a centralized platform, and the market is full of different devices with software that needs to be updated. Security is not just a feature like a library file. Problems arise because no one updates the firmware.

It is not surprising that management of the decisive structures of the Internet takes place with the help of methods resembling initiation into masons.

Order of the Phoenix

The secret lodge of people who "hold" the Internet on seven keys ...
Passed a symbolic and yet important ceremony . Which against the background of the East Coast attacks acquires new meanings. If you can control the DNS, then you can keep the entire Internet in your hands.

ICANN (Internet Corporation for Assigned Names and Numbers) has been convening every three months for the sixth year. Together they perform a top-secret ritual known as the key ceremony. During it, the keys to the metaphorical Internet lock are checked and updated. ICANN is responsible for assigning numerical Internet addresses (IP) to websites and computers.

To protect the DNS, the organization chose seven people for the keys holders. Each of them received a current key to the Internet. Seven more people became reserve keys. The ceremony requires at least three participants with their own keys. That is how many keys are needed to access the secure DNS hardware.

Physical keys open security deposit boxes. Inside of them are smart keys in the form of cards.

The master key is a code. This is the password for accessing ICANN's main database. This key generates several keys that protect parts of the Internet in different places and are used by different Internet security organizations.

The ceremony is also surrounded by several levels of security protection. Participants pass through several locked doors using key codes and hand scanners. As a result, they enter a room from which it is impossible to transmit electronic communications signals.

Tomorrow, October 27, ICANN will hold another historic ceremony. During her first master key will change independently. In technical terms, this means that the couple will change, which keeps all the security of the DNS. Her name is the root zone signing key.