In October 2016, a cyberattack on Internet provider Dyn made many web services and sites inaccessible, and is considered the largest denial of service attack ever made.
Internet Communication Basics
Most Internet communications are of the client-server type. The Internet browser is often used as a “client” and sends requests to the server, asking it to display a Youtube video, for example.
Each server has its own IP address. When navigating on Google, for instance, the server that responds to our request may be different depending on our geographical location. This is made possible by using a Domain Name System (DNS). These DNS servers will translate an address with the words “www.google.com” into an IP address. This notion is important for understanding the attack that targeted Dyn.
History of Botnets
A botnet is a network of computers infected by a virus, which turns them into passive entities that remain listening to future instructions. The person controlling the botnet can then send commands to his army of infected computers. For example, ask his robots to send spam or launch distributed denial of service attacks. The distributed nature of this architecture makes detection of DDoS attacks difficult.
With the miniaturization and ever-decreasing cost of computing devices, more and more objects become connected. This creates an ever-growing network of printers, IP cameras and all kinds of objects that are connected to the web. All these devices are small computers, and like all computers, they are vulnerable to attacks. Moreover, since few people take the time to configure these connected objects, most of them are configured with default passwords, making it even simpler for an attacker to compromise and infect them viruses.
We find ourselves in a situation where many objects connected to the Internet are infected by a virus. And these devices are constantly on, unlike our computers. During the most recent DDoS attack, this botnet managed to generate up to 1.2 Tb of data per second! This is a data rate equivalent to nearly 2,000 DVD-quality movies sent per second!
Why did this attack hurt so badly?
Denial of service attacks have traditionally targeted servers or websites of companies that are chosen either for activism (or hacktivism) reasons, or for the purpose of extorting money.
What differs this attack from the previous ones is the target. For the first time, it was not site servers that were targeted, but the DNS servers of the Dyn company.
The sites of Twitter, Paypal and Netflix, for example, were fully functional. But by preventing us from knowing the address of the servers to connect, this attack made all these sites inaccessible.
How to defend against these attacks?
DDoS attacks often follow a well-established pattern. A first way to protect oneself therefore is to use systems that will detect the signatures of these attacks.
Another way to prevent is to implement redundancy on servers. By using load balancers, you can intelligently route traffic to multiple servers, improving the system’s resilience to high traffic flows.
But that’s not all! We also need to guard against infections, to prevent one of our systems from becoming a botnet member. To do this, you must first protect computers with antivirus software.
However, many connected devices are too simple to install an antivirus. It is therefore essential to analyze the inbound network traffic in your corporate network, both to detect known threats and zero-day vulnerabilities.
It is possible to further minimize the risk of infection of your systems by correlating and monitoring event logs, such as continuous network and systems monitoring.
Finally, remember to keep systems updated, in order to mitigate the risk that known vulnerabilities can be exploited and use unique and complex passwords. Password management software exist to make your life easier.
A specialized information security company will be able to assist you in analyzing your needs and selecting the most effective and efficient solutions to mitigate the risks of botnet attacks on your systems.