Dyn DDoS – what can we do right now to help prevent the next attack?

The digital dust has settled, for now at least, on last week’s Distributed Denial of Service (DDoS) attack against DNS service provider Dyn.

There have been numerous rumours of what the attack was for, and why the attackers pounded Dyn with redundant traffic designed to harm the company’s ability to serve legitimate customers.

If you’re in a takeaway trying to order a nice, quick burger, but there are 100 people in front of you in the queue who ask politely all about today’s specials before calmly walking out without buying anything, both you and the burger vendor are going to take strain. Worse still, the time-wasters don’t have to spend any money buying up products to stop you getting served, so there’s not much to limit the scale of the disruption.

However, given that we’re in the last week of Cybersecurity Awareness Month, we thought we’d leave the rumours for later and start right at the top with our tips for how to fight back against the cybercrooks in our midst.

So here are some simple and general security tasks you can carry out at home (or at work!) to make life harder for the crooks:

  • Patch early, patch often. If your router has a firmware update available, install it now. If you have fallen behind on operating system updates, consider activating fully automatic updates so you won’t forget again. A hole that could be patched is a whole that should be patched.
  • Turn off remote access to your Internet of Things (IoT) devices like cameras and printers if you can. Some connected devices let outsiders login by default, which is handy for troubleshooting but even handier for crooks. If the device lets you restrict access to your local network only, make sure that option is turned on.
  • Change all device passwords so you don’t have any defaults. Many devices come preconfigured with usernames and passwords such as root/root or admin/admin that can be found with a search engine. A default password is as bad as no password.
  • When you acquire a new device, research it online before you make it live. If there are security patches available, apply them first. If there are risky settings you can turn off, do that up front. Even if it’s a gift, don’t feel pressurised into connecting it up right away.
  • Learn how to scan your own network for security holes. Tools such as Nmap can help you find holes before the crooks do. It’s legal to probe your own network, so you may as well find out if there are any obvious problems first. (If you already know how to do this, why not help your friends as your contribution to #NCSAM?)
  • Consider trying an industrial-strength home firewall. For example, Sophos Firewall Home Edition is 100% free. You’ll need a spare computer and some technical savvy (or a friend with the savvy) to set it up, but you’ll end up with all the features of our commercial product, and it will keep itself up-to-date with protection against the latest hacking threats.

What about the Dyn attack?

Some of the rumours we’ve heard about the attack on Dyn include:

  • The DDoS was an experiment to see how big an attack could be if the crooks really wanted.
  • The DDoS was a practice session for an attack on the forthcoming US election.
  • The DDoS was a show of strength, in case Julian Assange of Wikileaks turned out to be dead.

So far, however, the most likely explanation we’re aware of is that Dyn recently published a article about the risk of DDoS to service providers.

Dyn dealt with the extent to which an open-source DDoS attack tool called Mirai was involved, and how to work against this sort of attack in the future.

If the name Mirai rings a bell, we wrote about it just two weeks ago after a similarly-huge DDoS attack on well-known cybercrime journalist Brian Krebs.

Krebs, in turn, seems to have been attacked because he was involved in an exposé that led to the arrest of two young DDoS-for-hire hackers from Israel.

In short, this may very well boil down to a series of “tit-for-tat” salvos launched by the DDoS crooks.

Why is this a job for us all?

For all the deeply sinister explanations you can come up with for the attacks on Dyn, there’s an underlying and prosaic reason why cybercrooks carry out DDoSes of this scale:

Q. Why do cybercrooks carry out DDoSes of this scale?

A. Because they can.

Unfortunately, one of the main reasons why the crooks are able to carry out such ambitious attacks is equally simply expressed:

Q. How is it that crooks are able to carry out such ambitious attacks?

A. Because we let them.

In the case of the Mirai attack tool mentioned above, the DDoS malware runs on unsecured IoT devices, from cameras and printers to routers and modems – devices that many people don’t even realise can contribute to cybercrime.

Worse still, while the Mirai malware is busy with attack X, it’s also automatically scanning the internet looking for the next wave of insecure devices that can be used for attack X+1.

Unlike old-school viruses and network worms, which looked for potential new victims and infected them automatically, Mirai plays a more secretive hand. It quietly reports its new list of potential victims back to the crooks, leaving infection until later. It therefore keeps a lower online profile than if it spread as far as possible and as quickly as it could.

It’s not just DDoS attacks from IoT devices that we have to worry about, by the way.

A significant proportion of the many websites that act as malware distribution servers used to attack Windows computers are otherwise-legitimate websites that have been hacked because they were unpatched or otherwise ill-secured.

LEARN MORE: How innocent servers serve cybercrime

(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)

And a significant proportion of the spam that we see comes from regular computers that are infected with zombie malware that allows crooks to spew out spam at will.

These three sorts of cyberattack share several worrying characteristics:

  • They give the crooks free bandwidth for their cybercrimes.
  • They divert the blame onto the wrong people.
  • They are hard to disrupt because they come from so many sources at the same time.
  • They seem innocent because they come from devices with no obvious criminal connection.
  • They can often be run again and again because just removing the malware is not enough.

Finding the Mirai malware on your home router, for example, soothes but does not sort out the problem: if you simply delete the malware and do nothing more, the crooks will soon find you again and co-opt you back into their arsenal.

You need to close the door on the crooks on a more permanent basis whenever you can.

So, why not start with the #CyberAware tips we set out at the top of this article?

After all, when it comes to DDoS bots, spam zombies, unpatched servers and even to shabby passwords

…if you aren’t part of the solution, you’re part of the problem.