Yesterday, half the Internet was broken. I knew something was wrong when I couldn’t get into Salesforce to check on a support ticket for my biggest customer. Another member of my team sent us a warning that a big DDoS attack was happening, and not to count on being able to issue very many quotes today. So what, exactly, is a DDoS attack and how do DDoS attacks work?
I suppose there’s another question to ask too: What can you do to avoid being part of the problem? We’ll save that for the end.
DDoS stands for distributed denial of service. That’s a fancy way of saying you flood something with traffic so it gets too busy to pay attention to you and me.
In the old days, you just loaded some malware on a bunch of computers and pointed them at a web site. If a web site is built for 10,000 readers and you send it 100,000 readers’ worth of bogus traffic, the site crashes.
That trick doesn’t work as well now. It’s easy to build a site for 100,000 readers. You have to get a little bit fancier. Plus, it’s not as easy to infect 100,000 ordinary computers with malware these days. Computer vendors fix their security flaws and update them automatically.
So what’s a bad guy to do? Send a different kind of traffic. The old fashioned way was like getting into an arms race, where you have to spend a dollar for every dollar the bad guy spends to keep up. It’s easier on the bad guy if you have to spend $2 to keep up with every dollar the bad guy spends, even if the bad guy is spending someone else’s money.
Modern DDoS attacks do just that. They find ways to amplify the traffic they send.
The other thing they can do is attack indirectly. Yesterday it wasn’t just one site that was down. Netflix and Twitter were down, but so were two things I use every day at work: Salesforce and Okta.
The reason so many things were broken was because the bad guys were attacking a DNS provider. DNS is the Internet’s phone book. Your computer doesn’t understand my web site’s URL (dfarq.homeip.net). It understands 188.8.131.52. You’ll never remember that. Imagine if you had to remember a number like that for your 14 favorite web sites. You’d never use the Internet.
But when DNS is too busy, your computer can’t look up the name, and it can’t connect to the address.
Who knows what the bad guys wanted to take down. Chances are it was one or two things, and we had a ton of collateral damage. Maybe some disgruntled guy didn’t want to have to use Salesforce today.
So what do you do about it being hard to steal a computer these days? You steal a router instead. Routers are horribly insecure. Less secure than that Windows XP computer people like me have been telling you to recycle.
How do we prevent DDoS attacks? The usual approach is lots of clever redundancy. The problem is that the redundancy is expensive, and as the attacks grow more clever, they don’t necessarily get more expensive. But the protections always do.
Ultimately the answer is for the companies who make things that plug into the Internet, like routers and cameras, need to accept responsibility.
Whatever you think of him (and I did not like the man at the time), in 2002, Bill Gates woke up and realized the responsibility he bore. Microsoft’s sloppy security was putting the entire Internet at risk. Dan Geer, the CTO at a company called @stake, got fired for saying what Bill Gates realized. Microsoft committed at that point to monthly security updates and considering security when designing new software. There were some hiccups but Microsoft learned a lot in a few short years.
Today, hating on Microsoft is cool, but if you think Microsoft’s products are insecure, you either haven’t been paying attention or don’t know how to assess security.
Most other major software companies also issue security patches on a regular or semi-regular basis. Your computer isn’t perfectly secure and neither is mine, but we’re a lot better off today than we were in 2002.
Today, the existence of consumer routers and cameras that never receive security updates is starting to threaten the Internet’s backbone again. We’re spending millions of dollars to protect things like Salesforce from rogue routers that cost $15.
Today there’s no appetite to fix it. I’m not sure how many days like yesterday it’s going to take for us to develop one.
So, if the people who make these awful things won’t fix them, what can you do to avoid being part of the problem? First turn the device off and back on to clear the memory. Next, log in and change the username and password on the device. And finally, if you can, isolate wifi-capable things that aren’t computers on their own network. This doesn’t guarantee you won’t get reinfected, but it goes a surprisingly long way.