When Toasters Crashed the Internet: What You Should Know About the Recent DDoS Attack

By Datalink

As the dust settles around last week’s distributed denial of service (DDoS) attack, IT experts and many affected companies will note Friday, October 21, 2016 as the date of a watershed event. It is the first time that the Internet of Things (IoT) was used in a widespread cyberattack. Where are we now and what does this attack mean for the future of IT security? This post presents our perspective.
What’s the current status?
It appears that the attack is contained. Most companies impacted by the incident have recovered and are operating normally. At Datalink, we remain hypervigilant in monitoring our clients’ infrastructure, but at this point we don’t see any signs of a follow-up attack.
What happened?
First, for those not familiar with the concept of “DNS,” here is some quick background. The Domain Name System (DNS) is a way of translating numeric IP addresses into recognizable names like google.com. Think of DNS as the Google for your computer. When you search for directions to Best Buy, you look up the address so you can plug it into your GPS. This is how DNS works, and without it our computers are effectively invisible.
A DDoS attack is designed to flood a service with bogus requests to the point that the system can’t respond to real requests. The queries come from so many different devices that they are hard to block. As soon as you block one, another can take its place. In Friday’s attack, the perpetrators created a botnet, which is a group of infected devices that will do whatever is asked of them. The cybercriminals then directed this collective to target a DNS provider.
Here is where this attack was unique. What were the infected devices? Laptops? Servers? Smartphones? Perhaps some, but it was primarily internet-enabled devices like toasters, web cameras, refrigerators, and DVRs that were involved. Initial estimates are that hundreds of thousands of devices throughout homes and businesses were used. Security experts have been warning us about the possibility of this type of attack for years.
Is this the new norm?
Unfortunately, it’s likely that companies and the IT solution providers that serve them will be wrestling with this issue for the foreseeable future. How will organizations protect themselves against the IoT? How will they respond to a DNS attack? These are serious concerns that most organizations had not been directly exposed to until Friday.
How were Datalink clients affected?
Despite the fact that Datalink’s main DNS provider (DynDNS) was the target of the attack, the environment we use to support our clients has many layers of security including what’s called Advanced Threat Protection, which analyzes outbound traffic for suspicious activity. Consequently, we were able to identify the signature of a botnet within minutes of the start of the attack, and our internal teams quickly developed workarounds.
One of the advantages our clients had in this situation is that Datalink’s collaboration with a wide range of companies and service providers gave us a broad perspective on the incident. That big picture view allowed us to rapidly create and share best practices for mitigating damage from the attack.
Clients who use our monitoring services also benefitted from being able to see their environment from the outside looking in. In addition, we helped clients deal with the flood of events by allowing them to burst (i.e. quickly expand) their operational capabilities.
Where do we go from here?
Needless to say, simply returning to business as usual and hoping that something like this won’t happen again isn’t a good strategy for anyone involved – from DNS providers to solution providers to internal IT organizations. Instead, we need to collaborate more closely than ever on assessing and strengthening our digital defenses.
The good news is that IT security experts and companies worldwide now have a better understanding of how to prevent or recover from a DDoS attack launched from IoT devices. By sharing what we’ve learned from this incident and working proactively to anticipate new types of attacks, we’ll all be better protected.
Jason D. Anderson
Technology Director
Engineering Services