October 21st massive blackout: lessons learned

In recent weeks, some of the biggest DDoS attacks have shaken the internet, mainly in the US. Brian Kreb’s website first, and some days later, several waves of attacks on DYN, which caused a huge «blackout» of popular online services such as Twitter or PayPal. Our Security & Privacy Lead, Juan Gonzalez , explains in the following post what did happen and what useful lessons can be drawn from it.

Mirai DDoS Attack

Image Source: Techcrunch.com 

By: Juan Gonzalez, S&P Lead, Gradiant

On October 21, there was a DDoS attack (Distributed Denial of Service) causing Dyn’s DNS services blocking. The inmediate result was the inability to access to popular online services such as Twitter, Spotify, Airbnb, New York Times, Netflix, Amazon or PayPal, among many others, mostly on the west coast of the US.

The attackers used a botnet, called Mirai, that affects IoT devices such as IP cameras or video recording devices (DVR). Mirai was also used last September to make a DDoS attack against security expert blogger Brian Kerbs, kerbsonsecurity.com. Traffic used to block the blog got over 650 Gbps, so it was considered the largest known DDoS attack to that date.

Following the attack on Brian Kerb’s site, a user with the alias Anna-Senpai announced the release of Mirai’s source code, along with instructions for its use, in a well known hacking forum. Ever since then, Mirai code is publicly available on GitHub. The release of the code happened just three weeks before the attack on Dyn.

How does Mirai works?

Mirai is based on five main features: discovery of vulnerable devices, infection, protection of the infected device to prevent being removed from the botnet, control and attack. While the last four blocks do have a certain level of sophistication, the first of them -discovery of vulnerable devices- is frighteningly simple. It basically scans random IP addresses, connects to telnet port and test a number of common user and password combinations established by defect by vendors. Long story short, Mirai was able to spread to hundreds of thousands of devices, just expliting a simple vulnerability using: not to change the default password of IoT devices.

The increasing bandwidth of the Internet connections, coupled with the explosion in the number of connected IoT devices, increases the impact of DDoS attacks. For the record, a DDoS attack is not a sophisticated attack, but a brute force one instead, one that uses illegitimate traffic to prevent legitimate users from accessing a particular service. A DDoS is a proxy war, that will see only one winner: that one that has more processing power and bandwidth, whether attacker or defender.

Learned lessons

While the benefits of IoT are undeniable for almost every sectors (consumer, industrial, infrastructure, health…), it is essential that we get our sleeves rolled up to ensure safety of the IoT devices. Attacks such as this DDoS using Mirai botnet clearly shows up the growing relationship between IoT security and the uber-availability of Internet services.

There’s a solution to this: using Security by Design practices. This meaning, the safety requirements should be included as part of the product’s development from the bottom, from the design phase. In this phase, security controls that allows prevention, detection, response and, in case of failure, mitigating the consequences, should be established. For example, to prevent DDoS attacks, this devices could limit -by design- the maximum bandwidth they can consume.

On the other hand, it is essential to adopt practices to prevent, detect and respond to potential cyber threats in a continuous manner. In this case, Mirai’s code had been publicly released weeks in advance, and the information needed to use it was published in a well known hacking forum. With this intelligence information, US-CERT (Computer Emergency Readiness Team) could generate a warning a week before the attack. Probably this warning could have been useful to -at least- mitigate the effects caused by the attack, even if it could not stop it from happening. It is necessary to develop automated tools to extract data from appropriate sources, such as forums or hacking markets. Tools that can process and generate information in order to enable detection of potential cyberthreats.

Such tools will use key technologies as Natural Language Processing (NLP), Machine Learning and Deep Learning, all of them strategic technologies for Gradiant‘s future, as related to our strong commitment to security.

Gradiant Security

Gradiant is already present in forums and organizations in the field of security and cyber security at an international level, such as ECSO (European Cyber Security Organisation) as a founding member; or as Renic (Network of National Excellence for Innovation in Cyber Security).

Gradiant’s security capabilities are guaranteed by the development of a large number of secure technological solutions, applying the principles of security & privacy by design. Solutions such as those based on encrypted domain data processing (which allow analysis while preserving the privacy and the identity of the users). Or the ones based on homomorphic encryption and secure hardware modules (HSMs) for performing operations in the cloud with encrypted data. Gradiant has also applied the paradigm ofsecure IoT (Internet of Things) in real scenarios in which the security plays a key role. Gradiant develops biometric technologies based on facial recognition, handwritten signature or voice recognition. Gradiant works on drones and UAVs technologies to prevent GPS signal spoofing, for instance, to protect unmanned vehicles operations. In addition, Gradiant performs intelligent video analysis and processing os video signals to automate and simplify the monitoring and surveillance in complex environments (for example,video surveillance, or real time video feeds from drones or UAVs).