I know, you must be wondering who is Dyn and what is a DDoS? Don’t worry I’ll explain all. Dyn is a well known company (at least in computer networks world) who provides solutions for Internet traffic management, intelligence, DNS services etc. They have some of the biggest customers in their pocket like Twitter, GitHub, Reddit, Amazon, Netflix, Spotify … list goes on. When the attack happened on Oct 21st, it was targeted in particular on their DNS infrastructure which is used by Dyn’s customers, the attack almost crippled their network thereby affecting its customers. DNS is a crucial part for the Internet to work, and in this case it was the primary target. I’ll explain DNS too.
What the heck is a DDoS attack?
I don’t want to give its definition, that’s something you can Google out. I’ll explain what a DDoS closely looks like in a real world. Some examples:
Take another classic example, remember the days we used to book train tickets on the IRCTC website at 8:00 am in the morning for tatkal? Ever wondered why the heck it runs very slow especially at 8:00 am? For the clueless first timers who thought they can book a 1-tier AC ticket easily because there are 2 seats available while ignoring 20 available seats in 3-tier AC all for a 4 hour journey ends up with a sleeper class ticket with 22 in weighting list, only to bribe the TC to get into an AC couch later. The site opens just fine at any other time but why not at 8:00 am? I am not sure what the current times are for tatkal booking, been a while I booked.
Though the first example is vague just like Chetan Bhagat’s books, either cases have something in common, if you figured it out you can move to the next section. If not, it’s very simple, really. In both cases we have users who are trying to avail a service, which assumed to be available at all the time but couldn’t avail it at particualr time. A service can be anything, going to a store and buying a book, or opening a website and purchasing online. In the above two cases the users were not able to avail the service because of the service’s unavailability or poor performance.
In the first case it was service unavailability due to a road block, while in the second case it was poor performance to handle so many requests from the users which in turn caused a service unavailability on the IRCTC site. DDoS, which is more complex and highly technical, is in a way almost similar but can be extremely disruptive at times. To put it in simple terms.
A Denial of Service (Dos) and Distributed Denial of Service (DDoS) causes a legitimate user request to a service to either experience a huge delay or simply make the service unavailable for extended periods of time. The reasons for the service unavailability can be either internal or external factors. In this case, we study about the External factors in particular, which is what the outage on Oct 21st was about.
Even though by nature a DDoS is purely technical, the intentions/motivations behind it are exactly the same as a Bandh/Protest, the former is controversially known as Hacktivism which happens in Cyber World, the Internet, while the latter is simply Activism which happens in a real world, it’s just that sometimes the former goes out of control and end up making news and me writing a lengthy blog post.
So what ‘exactly’ happened on Oct 21st?
DDoS attack of course, but let’s see the technical details of it. There are two things you need to know before knowing the attack on Oct 21st. IoT and DNS.
A network of zombie minions called IoZ (Internet of Zombies, that’s what I would like to call them from now on) attacked a company called Dyn. Unfortunately this company provides name resolution service (DNS) for some of the big and well know companies like Twitter, Reddit etc.
In simple terms, these IoZ devices sent several junk requests, ex: asking what is the IP address of something like asdjjddv.com, the traffic may not be an actual request asking an IP address of a website, it could be plain junk traffic. Fortunately their infrastructure was/is prepared for suck attacks and how to mitigate them. Then why there was an outage?
We are not talking about the zombies like in the movie Dead Alive, we are talking about World War Z here, more than 100,000 IoT devices sent their junk traffic to Dyn infrastructure, the problem here was not the attack itself, most major companies with their internet presence have measures in place for DDoS attacks and can mitigate them to a certain extent, the attack that happened on Oct 21st was very intense that it crippled the availability of their DNS service to the actual authentic users, so when the general public entered reddit.com they got an error saying timed out.
This happened only with the users in eastern part of the US. Not everyone got affected because Dyn is not the only DNS service provider in the Internet.
How can IoT devices attack and who is behind this?
IoT devices (mostly webcams) in our case were targeted by a malware called Mirai (meaning The Future in Japanese), it was developed by a hacker who goes by the pseudonym Anna-Senpai, this wasn’t created for the attack on Dyn, this existed even before Dyn’s attack and it even helped in two other DDoS attacks. In case of Dyn, it was not exactly Mirai but a modified version of it. Just before the attack the author, Anna-Senpai, released it as an open-source in the web (link) and in just few days a modified version of Mirai was born and attacked the IoT devices to create a Botnet, which later attacked Dyn. Below is from a forum where Anna-Senpai made a post about releasing Mirai to the skids (Script Kiddies).
Botnet is a simple concept to understand and extremely complex to investigate in attacks like these. So what happened in this attack?
A malware, here Mirai, attacked a predefined group of targets (Ex: IoT devices, Desktops, Servers etc) using their default login credentials. It used a list of predefined login IDs and passwords and scanned the Internet with login attempts in a trial and error method. It used Telnet (a way to remotely login to a device) and on successful login, it made those devices part of a Botnet. Every infected device was added to the Botnet and that Botnet was controlled via CnC (Command and Control), in most cases a CnC is an infected server in the Internet which is hacked for this purpose. Below picture shows the details of the default login ids/passwords used by Mirai.
Interesting fact, from the above picture a quick lookup in Google told me that the credentials root/7ujMko0vizxv belongs to Dahua IP Cameras, looks like that company made that as a static password for all of their products, how stupid! Further googling told me that root/dreambox belongs to a product called Dreambox HD Satellite Receiver.
The hacker or a hacker group can use this CnC (via a client application or web based interface) to tell the infected devices in the Botnet to do a particular task, here in Dyn’s case they instructed the devices to send junk traffic to Dyn’s DNS servers on TCP and UDP port 53. These ports are used for DNS name resolution services. It was estimated that a traffic of 1.2 TB/s (Terabytes per second) was generated by this DDoS attack, which dwarfed every known DDoS attacked ever happened before and the result of this? The legitimate users who were using Dyn’s DNS services got affected. Big time.
What was shown to people?
In the wake of this, the so called “tech authors” of many sites started writing garbage shit about the situation, as usual, only making their readers eat more shit. Some of the shitty examples below.
Duh … While these nincompoops sitting at these “Tech Focused” sites were making extraordinary premature claims while sipping on their organic orange juice shit there were sites which made proper well informed news. Some below.
This will be a short section, I wanted to explain the actual events occurred and the details of the attack while mocking at these “Tech Sites” producing shitty articles, that’s been done. So in conclusion I want to say two things.
- It is extremely difficult to shutdown the whole Internet, no, it’s not that easy and the people who writes misinformed articles on it should be kept in a jail for their lifetime with an Internet connection of a Dial-up modem. I’ve wrote an article explaining why it is difficult, read this.
- Future is shit, this DDoS attack is just the beginning and more such attacks with even higher intensity than 1.2 TB/s are expected to happen, thanks to the IoT ready to get infected. If you’re buying a Webcam or any gadget that can be hooked to the Internet, please ensure it has some quality standards. I know you definitely don’t give a shit when going for a cheap Chinese made Webcam which has Snapchat filters but still. Regulating them is very difficult unless there are some strict standards in place, which I foolishly wish is going to happen because of this attack. The reason that I am highlighting China has no relation to the ongoing campaign in India on China products boycott, read this.
Finally, ALWAYS change the default login credentials for your networked devices/gadgets. Being said that, thanks for reading this lengthy post and share it if you think it’s informative.