Following the news that Discord, a free VoIP service designed for gaming communities, has had its chat servers abused to host malware, security experts from MWR Infosecurity, Imperva, FireMon, Plixer, Synopsys and Tripwire commented below.
Adam Horsewood, Senior Security Consultant at MWR Infosecurity:
“The attack on DYN could well be a form of advertising. DYN provide a DDOS defense service, protecting clients from the very same sort of attacks that they are now suffering. DDOS attacks can be provided as a service, allowing people to rent the ability to perform an attack with no upfront cost, or skill requirements. Service providers who can perform a successful attack against the very companies who offer protection services demonstrate that all who use those protective service are at risk. DYN’s client list includes many impressive clients such as Twitter, Spotify and Github, all of which would be highly sought after targets should the DDOS attack used today be sold by its creator.
“As to why the East coast is being specifically targeted, it may be that it isn’t. Cloud services make use of a technology called anycasting. Before anycasting, when you visited a website, it was like making a long distance trip to a specific location. With any-casting, the journey is cut down, as there are many copies of the location, distributed globally. As an analogy, instead of traveling for 20 minutes to go to a large supermarket, you could just go to your local corner shop, of which there are many similar copies. This makes these services quick to respond, and more resilient to attack, as they don’t exist in one single place anymore.
“The traffic that is causing the problem will likely go to the nearest copy of Dyn’s services, following their ISP’s routing, something they don’t control. The maps could indicate where the majority of the traffic is sourced or the nearest Dyn node to it.
“Assuming that Dyn advertise their service equally in different locations, what you are likely to be seeing is a large amount of source attacks in the region going to the nearest Dyn node or copy, indicating the source of the majority of the traffic is likely to be the US.
“Looking at http://downdetector.com/status/level3/map/, there appear to be smaller outages occurring in the UK, which is probably where the traffic from the EU is heading too. If the US’s east coast is targeted, the attacker would need to be targeting something specific to the east coast, which may be possible, but would require more of an investigation to facilitate.
“There are many types of attacks that fall under the DDOS banner, the most common of which is sheer volume. Botnets, a group of machines under the control of an attacker, often without their owner’s knowledge, can make use of badly configured services in their attack. They send a small request to these services, pretending to be their actual target. The services then respond, sending traffic on mass to the actual target. This has the added benefit of hiding the actual source of the attack from the victim.
“DDOS network resource exhaustion attacks are hard to protect against, as you have to accept a large amount of traffic before you can even do anything with it. You need to accept the traffic, and then strip out all the illegitimate or unwanted requests.
“Often this protection is outsourced to dedicated providers, who scrub the data clean. They may find something in the attack data that allows them to fingerprint the attack traffic specifically. But until they find something to differentiate the attack traffic from legitimate traffic, it can be difficult to distinguish one from the other.”
Marc Gaffan,General Manager, Incapsula at Imperva:
“DNS infrastructure is a key component of making the internet work, and the large DNS providers have invested heavily in protecting their systems from such attacks. However, with the significant increase in attack sizes over the past 18 months, now often surpassing bursts of half a Terabit per second, many infrastructure and SaaS providers are looking to beef up their overall capacity and DDoS mitigation measures.”
Igal Zeifman, Security Evangelist, Incapsula at Imperva:
“The attack on Dyn is what is known as a DNS flood DDoS attack where attackers focus on the name servers to prevent web addresses from resolving. The attack is akin to cutting off the telephone network prior to an invasion to prevent communication.”
Paul Calatayud, CTO at FireMon:
“DDoS is not a new form of attack in of itself, but methods and strategies around DDoS continue to evolve in the form of larger and more orchestrated attacks. Often, the measure of the level of sophistication of a DDoS attack comes in the form of measured throughput. The attack details are not known in this particular attack, but recent attacks against Krebs are reported to be upwards of 620 Gbps (https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/). That is a tremendous amount of data coming at a target at once.
“What causes me to pause and reflect most in regards to this breaking news is that Dyn DNS is a DNS SaaS provider. Its core job is to host and manage DNS services for its clients. The impact and harm has a ripple effect attributed to the various clients Dyn services. As attackers evaluate their targets, and organizations run to the proverbial cloud for various reasons, it introduces interesting targets for the bad guys.
“So, what can be done? First, evaluating dependency on cloud providers remains a risk you cannot outsource. Begin to plan for situations where cyber-attacks against you may never be directed at you, but rather organizations you come to rely upon. In the case of this attack and DNS, having a secondary DNS service operating at the same time may have mitigated the impact to your organization even when your primary provider goes down. Cloud Governance becomes an element of a CISO security program.”
Thomas Pore, Director of IT at Plixer:
“While this particular attack may not have been motivated by extortion, a new model of ransom based attacks, Infrastructure Ransom as a Service (IRaaS), could be on the horizon, motivated to pay off threats for fear of infrastructure wide customer outages. An infrastructure outage, such as DNS, against a service provider impacting both the provider and customers may prompt a quick ransom payoff to avoid unwanted customer attrition or larger financial impact. Should a provider come under attack, customers suffering from the extortion impact may start looking to move their services to another provider capable of mitigating the attacks. This prediction model could suggest a greater financial impact from customer attrition than paying off a few bitcoin to avoid the attack to begin with. Then what happens if these extortion attempts begin to arrive regularly? This may emerge into a new business model, with a consistent revenue stream. One thing is certain, DDoS attacks are not going away anytime soon.”
Mike Ahmadi, Global Director, Critical Systems Security at Synopsys:
“Despite decades of facing outages due to malformed traffic and data flooding, websites remain highly vulnerable to legacy attack vectors. Website providers need to constantly test their implementations with rigor in order to ensure that they can remain viable in an increasingly hostile environment. The avalanche of IoT devices has created an environment where software and implementation flaws can be exploit at previously unseen levels, effectively turning them into widely distributed information weapons. What may have been adequate robustness in the past no longer holds true.”
Craig Young, Security Researcher at Tripwire:
“As with most software designs from the 1980s, security was generally not considered when creating DNS. Originally designed for early networks like ARPANET, DNS allows human-friendly names in place of traditional network addresses and is now a critical infrastructure for the Internet as we know it. Because the web is so dependent on this system, it becomes a very visible point of failure as is the case today with service provider Dyn. Without DNS, there is essentially no Internet from the perspective of all but the most sophisticated users. Service providers will hopefully take this as a cue that they need to distribute their DNS across multiple providers to avoid this as a single point of failure.”