Cyberattacks: everything you need to know
On October 21, the United States–based internet firm Dyn fell victim to a wide-scale cyberattack. Millions of North American and European users were unable to access more than 60 popular websites, including Twitter, PayPal, Spotify, Amazon and Netflix.
But what exactly happened? And what does it mean for the future of internet security?
We asked two Concordia experts — assistant professor Jeremy Clark, a faculty member of the Concordia Institute for Information Systems Engineering, and Fenwick McKelvey, a communications professor in the Faculty of Arts and Science.
Can you explain the October 21 cyberattack?
Jeremy Clark: When you request information from a website or internet service, you get in a line behind other people who tried to connect to the same service before you.
Generally, servers can process requests very fast so there is never a noticeable wait.
However, if far more people try to connect to the same site at the same time than the service is prepared for, a lineup can form. Once the line gets too long, the website will start throwing away extra requests until it can reduce the backlog.
Criminals who want to disable a site will attempt to flood it with so many requests that the line is constantly saturated and real users connecting to the site will have their requests thrown away. This is called a distributed denial of service or DDoS attack, and that’s what happened to Dyn on October 21.
It used to be that attackers would send as much traffic as they could from a single or small number of computers. However, if all the traffic is coming from the same location, internet service providers (ISPs) like Rogers or Bell will see the traffic and block it.
Now, attackers operate from as many different locations as possible to make it harder to tell the difference between legitimate requests and ones that are part of the attack — this is what makes it "distributed."
Attackers do not personally own computers all over the world, so they take over those of other people and then rent out access to sets of them (called a botnet) to others wanting to do a DDoS attack.
Fenwick McKelvey: Dyn is a domain name management service, translating a domain name like Concordia.ca into an actual location online. Reports called the company a part of the internet’s switchboard or telephone directory. These comparisons are accurate, but they don’t capture how this attack can be targeted — in this case, along the Eastern seaboard.
The botnet, simply put, tried to connect to Dyn servers all at once — with an attack average of 620 gigabytes per second. That’s 12,000 times more capacity than your average home internet speed.
They actually attacked Dyn three times as much as they needed to in order to disrupt the service for some sites, and it made some companies that use Dyn inaccessible.
What was new about this attack, and why is it significant?
JC: DDoS attacks have been around for a while, but there are two elements to this one that are novel (each has been used individually but not together and not at this scale).
The first stems from the fact that it is becoming harder for criminals to take over computers, in particular when users regularly update their operating systems.
So, attackers are targeting smaller internet-connected devices that have much less security than a full-fledged computer, phone or tablet. These include things like cameras, lightbulbs and smart appliances (the so-called "internet of things" or IoT devices).
Because these devices generally do not have a keyboard or large screen, they are harder to update and many users leave insecure default settings in place. We do not know the full extent to which IoT devices played a role, but preliminary analysis seems to suggest it made up a large portion of the attack.
The second aspect is what was targeted — in this case, a large set of Dyn’s DNS servers responsible for many large websites.
While the company has servers all over the world, the attackers focused on a few of them and were able to disable DNS service for these sites for users of all ISPs from certain regions, most notably the east of Canada and the US.
FM: Worries about botnets, the internet of things and critical internet resources are old. It’s just that they came true on Friday.
Computer security expert Bruce Schneier suspected something was going to happen. The threat he mentioned might not even be connected to the Dyn attack. So, many people expect this is a sign of things to come.
What needs to happen in order to stave off future attacks?
JC: The security of IoT devices will improve over time and vendors will enable automatic updates that do not require user action. They will also rethink how default passwords are assigned to new devices.
In the meantime, ISPs may need to be more proactive in detecting vulnerable devices amongst their users and blocking large volumes of traffic emanating from them. It is not clear how feasible this is — the DNS system has always been a target and there is no clear way to fix it.
In the short term, it seems more feasible to rely on ISPs and other entities along the “backbone” of the internet to identify and choke DDoS attacks before they reach their intended target.
FM: Our own Canadian DNS administrator suggests having more redundancies with backups to prevent this kind of disruption. One device manufacturer has actually recalled its products that might have been part of the botnet.
I think we need more security on internet-enabled devices, and maybe even more consumer protection. Governments and the internet governance community have a role to play in creating and enforcing these standards. And they must ensure that the public, academics, advocacy groups and white hats are part of that process.
What are the social ramifications of this attack?
FM: Phil Howard writes that “nation-states, polities and governments need to be thought of as sociotechnical systems, not representative systems.” These sociotechnical systems imbricate with both the internet and botnets. We need to start expanding our sense of political actors to include the hackers, botnets and daemons that have profoundly political ramifications.
How do you think this attack may affect the upcoming US election?
JC: If the US used internet voting, this could be a major issue and is one of several reasons to resist moving in this direction.
A Canadian parliamentary committee is currently considering internet voting. We have seen DDoS attacks here, however, such as the one that disrupted the 2012 New Democractic Party leadership convention, and they were successful despite being much smaller.
Some US voting machines have internet capabilities. However, hitting them with a DDoS attack should not stop the collection of ballots. Malicious entities might target candidates’ websites, information about polling locations, etc., but for this attack to be effective, it would have to be targeted at specific sites and not the DNS system.
FM: Aside from the constant fears that hackers are trying to disrupt the US election, attacks can also target voting infrastructure.
Find out more about IT security at Concordia.