Major websites hosted on the East Coast in the United States were shut down by a DDoS attack for over two hours this morning. The attack started at 7:10am ET and affected sites that were using Dyn’s cloud services, including the company’s own website.
Dyn, formerly known as DynDNS, is an Internet Performance Management (IPM) company that offers products that monitor, control, and optimize Internet infrastructure, as well as DNS registration and email services.
The company appears to have experienced a DDoS attack early this morning that slowed down or completely interrupted operation of customer websites using its Managed DNS service. Among others, the affected sites include:
Dyn began mitigating the attack as soon as it became aware of it, but it wasn't completely stopped until 9:20am ET.
The “Internet Of Threats”
There isn’t too much information available yet about how powerful the attack was, nor who or what caused it. However, lately we’ve seen increasingly powerful DDoS attacks, some of which were powered by “Internet of Things” (IoT) devices that were controlled by botnets.
The Internet of Things, which some security experts called the “Internet of Threats,” is still in its early days, so we’ve not yet seen the type of damage that infected IoT devices can do.
Most IoT devices don’t seem to make security a priority. They are rarely updated, and the updates they do receive are typically released early in their life cycles, before their creator's attention shifts to new products. Some may be updated for two years, but consumers might use them for five or seven years, and something like a government-purchased CCTV camera could be used for even longer. Those devices are the most vulnerable to being taken over by botnets.
To make things worse, an IoT botnet software was recently made open source, making it much easier for people to launch their own DDoS attacks.
IoT Security Regulation May Be Imminent
Governments haven’t started to regulate the security of IoT devices, but any further delay could put more and more internet services at risk from DDoS attacks as the category becomes more popular.
Some governments, such as the U.S., believe that growth of IoT shouldn’t be restricted by too many regulations. The European Union is also taking a light approach and is currently considering the adoption of a “labeling system” for security that's similar to its energy consumption labeling laws.
Labeling system or not, there probably should be at least some security best practices that should be enforced for everyone. If an IoT device doesn’t have even a basic level of security to protect against being hacked by automated tools, then it probably shouldn’t even be on the market; its existence would only further endanger everyone else’s products and services.
That seems like something for which only governments could offer protection, as most companies act in their own interests only. When it’s an issue of adding an extra cost to their products with no guarantee that it would result in higher sales or that their competitors would match their higher prices, there’s little reason for a given company to adopt higher security.
This is the type of behavior we’ve already seen in the Android smartphone market, where manufacturers prefer to offer as few updates to their devices as possible so they can remain competitive on price.
If security regulations for IoT devices are adopted in many countries at once, the “cost” issue of adding new security features should no longer be much of a problem, as everyone would have to start from the same base level of security.