In this day and age, cyberattacks can come from directions you would never expect. We are all aware of threats from ransomware, nation-state actors, industrial espionage, or hacker collectives looking for personal information (credit card details in particular). However, we usually don’t expect our websites and services to become collateral damage thanks to a popular gaming server.
Enter the rise of the Mirai botnet, its hostile shutdown of Minecraft gaming servers, and its subsequent attacks on the cloud DNS provider Dyn in October 2016. According to a report by security journalist Brian Krebs, versions of Mirai were being launched on Minecraft servers from competing Minecraft security organisations, in order to woo customers from one another. Mirai takes advantage of unprotected Internet of Things devices like CCTV cameras, routers, DVRs, or even baby monitors. The botnet is able to rapidly overwhelm DNS servers with requests, cutting off users from connecting to services they want to use- the definition of a distributed denial of service (DDoS) attack.
The Dyn attack carried out in one day utilised more than 500,000 devices, and pushed many popular services offline for hours- Twitter, Reddit and BBC to name a few. The difference between this attack and prior botnets was its scale, as well as the hijacking of unsecured IoT devices (versus the more ‘typical’ compromised PCs). Dyn will not be a lone case; merely the most recent and highbrow public example of a major attack, given the services that were affected. So, what can be done to defend networks and users from future attacks utilising consumer hardware?
First steps for protection- a hybrid approach
Protecting DNS services starts with adhering to the old adage of “Don’t put all your eggs in one basket”. It’s best not to rely on a single DNS host, and use advanced DNS hardware to handle traffic and identify and block attacks. This lends itself to a hybrid approach, where the DNS architecture is spread across multiple DNS servers. While this may require some effort to keep in sync, it gives you the option of having a continually-running service for your users in the event of one of your DNS servers becoming inaccessible. (Note some DNS servers will handle the process of updating other DNS servers automatically, reducing the time needed to manage your DNS assets).
In a hybrid DNS architecture, DNS servers are constantly active. If one server is affected or goes down, the service will automatically switch to another server. In the event of a DNS DDoS attack, users utilise the unaffected server – giving them uninterrupted access, while preventing automatic retries that multiply the effects of the initial attack.
Using the DNS protocol as a defence
The problem facing any organisation trying to defend against IoT botnets like Mirai is that consumer internet services are difficult to protect. They’re open by design, and most active users are not considering the hardware they’re using, nor are they employing a security model beyond a basic firewall built into a router. Individuals can’t be expected or relied upon to keep their networks secure or IoT hardware up to date. Vendors may also not provide patches and bug fixes in a timely fashion, making matters worse. This all equates to an environment that’s become increasingly hard to manage.
So how can the internet be shielded from this growing risk? ISP’s can adopt a stronger stance on network security, with more stringent controls on user networks and customer premises equipment (CPE). Their network hardware can also be leveraged to detect common attack patterns.
DNS security tools can go to work once compromised networks are identified. Using technologies like IPAM, they switch a customer’s CPE from an open network to one more restricted, with the ability to filter botnet command and control packets. They can also arm users with access to tools to help rectify their network, while helping to identify and update compromised hardware, in turn disrupting the structure of the botnet itself.
This approach is not without risk, as it inherently changes the relationship between the ISP and its customer- one that can be seen as inserting undue interference. In order for this particular situation to work, it should be handled at a regional level in cooperation with other ISPs, and would become part of the user and service provider contract agreement.
Collaborative defence efforts by Services and ISPs
If services and ISP solutions like these are brought together, along with an industry-wide commitment on an approach to IoT updating and servicing, we may have a valid solution. Key elements would include:
- Advanced DNS services for absorbing DDoS traffic
- Using multiple DNS services to ensure key service continuity
- Using a DNS security layer for CPE, which is linked to detect attack patterns
- Consumer ISP quarantine services, that are linked to simple IoT hardware update services
Massive DNS DDoS attacks like those on Dyn can’t be prevented with a singular action. They’re far too large a threat in scale, and will require service providers, consumers, hardware vendors, and ISPs to join forces in order to deliver a functional solution.