I read this NHPR/David Brooks account of the Dyn DDoS attack this morning, and feel like a few points should be addressed.

“In the case of the attack that hit Dyn, it was really big. We’re talking about millions, maybe even tens of millions of different sources, different IP addresses.”

This must be clarified.  This does not mean the planet has tens of millions of unique, infected devices. Few researchers are closer to the Mirai botnet than MalwareTech, who asserts that there are less than one million unique infected devices globally.

What had to have occurred in the case of the Dyn attack – which cannot be validated as they are withholding comment – is that the same devices were repeatedly attacking Dyn using different IP addresses, a “feature” in the Mirai source code known as source address randomization.

“Well you can’t just fix software because there are too many different kinds from too many different companies, some of which have gone out of business. It’s already complicated.”

It’s true that this is complicated, but it bears describing what David didn’t want to get into.  The vast percentage of devices out there involved in the Dyn attack are linked back to one Chinese manufacturer who was the OEM for a number of different brands.

Think about the number of times you see the same exact security camera on Amazon, only sold under a different name.  That is kind of what we’re up against – holding the OEM accountable, and then getting cooperation from every company who re-branded the device.

And cooperation to do what exactly.  A product recall of these “older” devices has been initiated, but the efficacy of any recall is questionable.  Hundreds of thousands of users need to be made aware of what is going on, and then compelled to take action, whether it’s to return the device, or somehow fix it themselves with what are sure to be inadequate instructions.

But in terms of a recall – the logistics of global product recall sprawl are exponential in this case, requiring a company to navigate the unique regulatory environment of every nation who has infected devices, leveraging surge capacity they…probably don’t have to handle the intake of devices and outflow of replacements.  And there’s evidence out there suggesting the OEM still hasn’t fixed the problem in its newer devices.  The more you think about this, the more your head hurts.

“Frankly, the severity of the attack on Dyn—Dyn is easily the hottest tech company in New Hampshire and they’re very well-respected and the fact that they were taken down shows just the size of the attack.”

I cannot agree with this.  Dyn is very aware of the climate their business operates in.  In fact, Dyn quite proudly offers DDoS protection as a service.  So why did it go wrong?

Dyn either missed or ignored the warning signs of this attack.  No one woke up last Friday morning and decided to coordinate an attack on them.  By Dyn’s own admission this was a complex attack, and complex attacks take reconnaissance and planning.

Likely for months, there were illicit tests of the Dyn infrastructure to understand if this attack could be successful, and those tests were not observed by Dyn, or if they were observed, they were not taken seriously, or not acted upon in a timely manner.  The Krebs DDoS and OVH DDoS were precursors to the Dyn attack, and Dyn surely had to have known they could be targeted.  This incident could not have been a surprise.

There is someone close to the organization asserting that Dyn’s staff and technology was simply not equipped to handle this attack, and they could have been.  If this is true, it is exceedingly disappointing.

Advertisements