As users of Twitter and many other services probably know, large parts of the Internet weren’t working Friday, thanks to a hacking attack on the Internet’s infrastructure. NBC reported that a senior intelligence official told the network that the hack “does not appear at this point to be any kind of state-sponsored or directed attack.” It may be that new evidence emerges that leads the U.S. intelligence community to change its opinion and identify a major state as a responsible party. The scarier possibility is that it wasn’t a state that did it.
The attack targeted the domain name system.
The Internet relies on a complicated mix of systems and protocols to work. Friday’s attack targeted a key aspect of the Internet — the domain name system. Every time your desktop or phone browser asks to load the Web page for, say, http://www.washingtonpost.com, specialized servers need to turn the Web address into a series of numbers — the IP address — to figure out where the request ought to be sent. The company that was hacked Friday runs part of the domain name system. The hackers sent so many requests to the domain name servers that they were overwhelmed.
This kind of attack is called a distributed denial of service attack, or DDoS attack. It used to be thought of as a relatively unsophisticated instrument, and many forms of DDoS can be easily repelled, once the target of the attack realizes what is going on. Both activists (such as members of the loose Anonymous collective) and state actors (looking to silence inconvenient dissidents offshore) have used DDoS attacks in the past. Such attacks led Google to create Project Shield, which was intended to deploy Google’s massive resources to protect actors who might otherwise be effectively silenced by nefarious actors.
These attacks have escalated.
Unfortunately, such attacks have escalated dramatically over time. The problem started with unsecured computers. Many people (almost certainly including readers of this article) are bad at keeping their computer operating systems updated, with the result that their computers have been quietly subverted and made part of ‘botnets’ made up of thousands of enslaved machines. These computers can then be turned against a target system, repeatedly bombarding it with demands until it is effectively taken off the Internet. Criminals have herded botnets to blackmail the owners of gambling websites by threatening to keep them offline with DDoS attacks until a ransom is paid.
Recently, however, the stakes have escalated. What’s called the “Internet of Things” — the many consumer products connected to the Internet — has created opportunities for botnet herders because these products tend to be badly secured and are usually never updated. Brian Krebs, a prominent writer and consultant on security, has often been targeted by the criminals he writes about. Last month, he was hit by a massive attack mounted by a botnet of compromised devices. Friday’s attack used the same ‘Mirai’ system, which was recently released into the wild so that anyone with moderate technical skills could use it to compromise and set up their own network of devices.
Anyone could be responsible.
As Krebs pointed out in a follow-up blog post, the truly frightening thing is that anyone could be responsible. It used to be that only states had the firepower to mount really dramatic attacks like this. Now, as one of Krebs’s friends puts it, “When it comes to DDoS attacks, nation-states are just another player. Today’s reality is that DDoS attacks have become the Great Equalizer between private actors & nation-states.”
One shouldn’t push this analogy too far. Other kinds of cyberattacks — such as the attack that the United States and Israel reportedly mounted on the Iranian nuclear program — require bespoke skills and customization and are out of the reach of all but sophisticated nation-states. Even so, taking down a large chunk of the Internet, as Friday’s attack apparently did, is well within the grasp of small criminal groups and other ordinary actors.
Equally, the fact that this is possible for ordinary actors may provide opportunities for states to undertake nefarious activities without getting the blame. Many of the techniques used to identify the perpetrators of cyberattacks rely on “fingerprints” in the computer code underlying the attack. For example, if you are mounting an attack, it may be cheaper and easier for you to redeploy code that you have already used in others than to write everything from scratch. This may, in turn, make it easier to identify you.
Such identification techniques will be harder to use against DDoS attacks like this one, which deploy code that is widely available and hence impossible to attribute to another actor. There may be other means of identification (for example, there might be bugs in the source code that could be exploited to pinpoint whoever is running it), but we don’t know for certain. This might tempt states as well as nonstate actors to use this system to mount DDoS attacks in the belief that others will likely be blamed.
The underlying problem is tough to solve.
These attacks are likely to continue — and get worse — as long as more devices are released that can be subverted and slaved by botnets. Unfortunately, as another prominent security expert, Bruce Schneier, argues, that’s going to keep on happening. The producers of buggy and insecure cameras, baby monitors and so on have no incentive to improve them, since no one can sue them for the side effects of their carelessness. The users of the products don’t have any reason to care, either. Schneier suggests that we might at least begin to address the problem by regulating manufacturers, or by making it possible for the victims of attacks, like Krebs, to sue them. This is, as Schneier certainly knows, unlikely under current political circumstances. The business community has resisted such mandates and rights for decades and almost certainly still has enough political clout to continue to resist.