If you live on or near the East Coast of the United States, the odds are pretty good that you had trouble accessing one or more of your favorite Web sites this morning. That’s because of a massive cyberattack launched this morning against a popular provider of network services (a company called “Dyn“), which resulted in companies that depended on those services getting knocked offline. The attacks have been ongoing all day, and indeed may still be underway as you read this.
This story is more significant than just some inconvenienced users, however. If early reports are true, it is actually the latest and most serious manifestation of a threat that began to emerge a few weeks ago — a threat which, if left unchecked, could potentially pose a mortal threat to the viability of the Internet itself.
That threat comes from a new type of malware. The latest iteration (which has been implicated in today’s attack) of this type has been given the name “Mirai,” but Mirai isn’t unique; it’s an evolution of a strain of malware that emerged this summer, and which has been growing in strength and danger ever since. Today’s attack indicates that it’s now gotten so pervasive that it could pose major risks to critical online services. So it’s officially a Big Deal — and one that’s only getting bigger.
Given that, I wanted to use this space to try and explain to the general public, in non-technical language, exactly how this new type of malware works, and why it poses a new type of threat that’s much bigger than anything that’s come before.
The new target: the “Internet of Things”
Mirai, and the other malware packages that preceded it, are tools that allow a user to take command of a botnet. A botnet is simply a group of computers that have all been infected with a virus which allows an attacker to take control of them remotely. The more systems that get infected with the virus, the more total computing power the attacker has at their command.
What can a bad guy can do with lots of zombie computers all lashed together like that? A common use for such a network is to launch a denial-of-service (DOS) attack.
Any online service, even the biggest, can only cope with as much traffic as the server and networking hardware behind it is able to handle. Once the limits of those systems are reached, any new requests will automatically fail because there’s simply no capacity left to respond to them. So, by taking all those zombie computers and directing them to do nothing but hit a service over and over again non-stop, the operator of a botnet can crowd out legitimate traffic through sheer weight of numbers.
So far, so usual; botnets and denial-of-service attacks are nothing new. What is new, however — the novel twist that the authors of Mirai and its predecessors brought to this attack — is that Mirai isn’t interested in infecting computers. Instead, the virus that builds its botnet goes after a completely different class of target: the so-called “Internet of Things.”
As Internet access to homes and businesses has gotten faster, cheaper and more reliable, makers of lots of devices have started adding features to those devices to connect them up to the network. Smart TVs and DVRs, security cameras and baby monitors, even refrigerators and light bulbs are connecting to the network in ever-growing numbers.
That’s a problem, because once a computer is hooked up to the public Internet, it becomes a tempting target for hackers. And you can’t hook anything up to the Internet without putting a little computer inside it, to tell it what to do with the data flowing in and what data it should be flowing out.
What makes Mirai and friends so special is that they turn all those little computers into their botnet zombies. And they do it in an absurdly simple way — they simply try to log in to those devices using the default usernames and passwords that are programmed into them at the factory. They’re betting that the people who bought them didn’t bother to change those credentials when they took their shiny new gizmo out of the box and hooked it up.
Which, it turns out, is a really, really good bet.
There are literally millions of these devices out in the wild today still using their default credentials. And that has enabled the operators of Mirai-family botnets to put together zombie armies of unprecedented size — which, over the last few weeks, they have begun turning against increasingly visible and high-profile targets.
The software Eye of Sauron
One such target was security researcher Brian Krebs, whose research, published on his influential blog “Krebs on Security,” has led to the arrests of hackers in the past. “Krebs on Security” was hit late last month with what was at the time the largest denial-of-service attack ever seen.
A Mirai botnet turned its army of zombie devices on Krebs’ blog, flooding it with a huge volume of malicious traffic — tens of thousands of compromised devices worldwide, flooding his site with 665 gigabits of traffic per second! — for days. The weight of the attack was so great that the company that hosted his blog, Akamai, eventually gave up trying to filter it all out and just took “Krebs on Security” offline.
It eventually came back up, days later, but only because Google stepped in and applied their massive resources to protect it. (Google’s “Project Shield” is slowly making similar protection available for other journalists and news organizations, but even Google can’t afford to protect every site on the Web from onslaughts of this size.)
So what Mirai & company provide the people who use them is a sort of software Eye of Sauron; if its terrible gaze happens to fall upon your site, any site, that site will be utterly obliterated.
Krebs calls this “the democratization of censorship“:
Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.
Ask yourself how many independent journalists could possibly afford that kind of protection money?
The answer, of course, is: not many. Forget independent journalists; not many businesses could afford to stand up to a threat that could potentially cost them that much.
So this morning the gaze of that software Eye of Sauron landed on Dyn, and that company has been thrashing in pain ever since — along with every other service that depended on Dyn to keep themselves online.
It’s unclear as of this writing (7:00 PM EST) what the eventual cost of this attack will be, both directly from Dyn trying to defend against it and indirectly from lost sales at Dyn’s clients and damage to Dyn’s reputation as a reliable provider.
But two things are not unclear: the armies of zombie devices that marched on Dyn today are still out there. And the source code for the software to control them is open for anyone to download.
Which means that the question isn’t whether there will be another attack the size of today’s, or even bigger. The question is when.