After a massive distributed denial-of-service attack targeted at Dyn DNS, companies are starting to respond and more details are being made public.
As I covered in The Dyn DNS attacks: What we know now, the massive attack knocked offline big-name websites, including Amazon services, Tumblr, Twitter, Reddit, Spotify, Netflix, among others. For those not familiar, Dyn DNS provides Doman Name Services, a sort of directory services for the Internet. When Dyn’s systems were hit with waves of bogus traffic, users couldn’t have their access requests for those sites resolved properly.
According to the analysis completed to date, much of the traffic generated in the DDoS (Distributed Denial-of-Service) attack was created using comprised IoT devices, including Webcams and digital recording devices.
The Chinese firm Hangzhou Xiongmai Technology, one of the firms whose IoT devices were part of the attack, told Reuters that the company will recall the devices, including some surveillance cameras sold in the United States. “Liu Yuexin, Xiongmai’s marketing director, estimated the number of vulnerable devices at fewer than 10,000 to be recalled. He said the company would recall the first few batches of surveillance cameras made in 2014 that monitor rooms or shops for personal, rather than industrial, use,” according to the article.
Another firm, Dahua Technology, announced firmware patches and incentives for customers to trade in devices as part of their response. In a statement, Dahua Technology said:
As always, we have firmware updates available on the Dahua Wiki, and a dedicated channel for customers to ask questions about cybersecurity or report suspected vulnerabilities (email@example.com).
Specific to this issue, we are offering replacement discounts as a gesture of goodwill to customers who wish to replace pre-January 2015 models. Dealers can bring such products to an authorized Dahua dealer, where a technical evaluation will be performed to determine eligibility.
In an analysis published Tuesday, security firm Flashpoint concluded that while the Mirai botnet malware was used in the DDoS attack, the botnet was managed separately from the command and control system used to attack Krebsonsecurity.com at an earlier date.
Flashpoint also believes that the attack was not the work of nation-state or organized crime but carried out by amateurs. And Dyn wasn’t even the target; a gaming network was.
“In its investigation of Dyn DDoS attacks, Flashpoint discovered that the infrastructure used in the attack also targeted a well-known video game company. While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums,” the authors Allison Nixon , John Costello , Zach Wikholm concluded.
So what is the good news and bad news?
The bad news first: A massive attack that crippled access to numerous big-name websites appears, so far, to have been conducted by amateurs – who may have misfired. The attack also appears relatively simple to pull off.
The good news, potentially, is that those who have the power to fix the situation going forward are taking notice. Physical recalls for manufacturers are expensive, and IoT device makers very likely want to avoid that financial pain. They would be wise to avoid designing and shipping products that can be easily hijacked in the future.