Dyn DDoS Attack: IoT Vulnerabilities

Dyn DDoS attack and IoT Vulnerabilities

We saw a preview Friday of how fragile the cyber world can be when DNS service disruptions blocked access to many popular websites. This wasn’t a case of stealing data (which tends to get a lot of media attention).  Instead, the Dyn DDoS attack achieved its goal of disrupting access to internet services. As I’m sure readers know by now, Dyn is a major DNS host whose customers include some of the biggest names on the internet including Twitter, SoundCloud, Spotify, Reddit and a host of others.

Massive Distributed Denail of Service (DDoS) Attacks

The Dyn DDoS attack comes shortly after a pair of other massive DDoS attacks. The first targeted security blogger Brian Krebs’ site in mid-September. A couple of weeks later, French ISP OVH was the victim of a DDoS attack which generated over one terabyte per second of traffic. 

A couple of observations: 

IoT Vulnerabilities & Device Exploits

  • First, these attacks exploited IoT vulnerabilities through devices such as webcams and DVRs, turning these devices into an army of “bots” overwhelming Dyn’s systems with noise. This wasn’t a matter of identifying complex IoT vulnerabilities in the software driving these devices. Instead, it relied on the fact that manufacturers and users of these devices are usually clueless about fundamental security activities. In this case, the attackers enlisted IoT devices that used default user names and passwords (user error for not changing these). Worse, it appears from Krebs’ post that the devices can be coopted via Telnet and SSH commands even when a user changes the password.

Who's Buying Affected Devices

  • The affected devices are not necessarily sold directly to consumers. For example, the cameras may be sold to OEMs who use the camera as a portion of their own solution. If we assume (safely, I believe) that the OEMs are no more sophisticated about security than the camera folks, we increase the likelihood of exploitability and reduce the likelihood of these devices getting fixed - EVER. 

Find Out More About the Internet of ThingsGrowing Frequency & Size

  • The frequency with which this is happening and the growing size of the attacks leaves open the question of “why” and “who.” Dyn confirmed that the DDoS attack was based on the Mirai botnet code – just as was the attack on OVH and Krebs’ site. The author of the botnet released the code to the public in late September, meaning anyone could be responsible for the attack on Dyn. 

Impact of DDoS & Cyber Attacks

  • It’s not always about the data. Attacks that result in stolen credit card data or personal information are often in the headlines. But data loss isn’t always the worst case scenario, which is why we discuss security impacts using metrics of Confidentiality, Integrity (of data/systems), and Availability. Each application is different, and the technical impact from various attacks needs to be considered during threat modeling and when risk ranking vulnerabilities. In this case, Availability was the critical issue. Amazon and Netflix likely lost revenue from customers unable to complete purchases, and Twitter and Spotify couldn’t deliver advertisements at an optimal rate. 

Lack of Security Maturity

  • This attack vector affected a large number of IoT devices, but is unlikely to be the only available method for attackers. The lack of security maturity demonstrated by IoT vendors is likely to show IoT vulnerabilities to be the norm. Consumer IoT is a cost-sensitive market, and the vendors will use open source operating systems and components liberally. Will they track these components to ensure that those with known vulnerabilities and public exploits are avoided? As new vulnerabilities are disclosed, do they have processes for alerting and updating deployed devices

Defining Security Standards

  • The EU is contemplating security standards and labeling, which would attempt to raise the bar and put accountability on the table. The problem, of course, is that security testing for software is very different than CA or UL testing. The latter are based on physics; you can prove that a mining lamp is “intrinsically safe” based on specific criteria. Software security changes as new vulnerabilities are disclosed.  

In many ways we should be glad for these wake-up calls. We are increasingly dependent on the internet, not only for commerce, but for our safety. The Dyn DDoS attack demonstrated how an attacker, using publicly available attacks and IoT vulnerabilities, can exploit an increasing population of unsophisticated and unsecured devices to affect our critical infrastructure.


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Now It’s Personal – 4 Takeaways From the Equifax Breach

| Sep 18, 2017

If you’re reading this, you have no doubt heard that personal information, including social security numbers, was stolen from Equifax – one of the Big 3 credit reporting agencies. From an industry standpoint, here’s a quick takeaway. Wait – For Once It Could Affect Me? For a lot of breaches, the

| MORE >

Critical Vulnerability CVE-2017-5638 Attacks Escalating

| Sep 14, 2017

 Attacks on Apache Struts 2 have escalated over the past couple of days as hackers exploit this critical vulnerability (CVE-2017-5638), which allows attackers to exploit a code-execution bug in the web application framework. Although a patch was available on Monday, hackers have been exploiting it

| MORE >

"Easy" to Hack Apache Struts Vulnerability CVE-2017-9805

| Sep 7, 2017

"This is as serious as it gets; if remote attackers are allowed to exploit the newly identified vulnerability it can critically damage thousands of enterprises." Oege de Moor, CEO and founder of Semmle. Dozens of Fortune 100 companies are at risk after security researchers at lgtm.com discovered a

| MORE >