On Friday, a massive distributed denial of services attack (DDoS) knocked out access to a number of major websites. Although the incident appeared to target the U.S., its effects rippled out internationally, reportedly even reaching major banks and supermarket giants in Australia.
While facts are still emerging, it seems the attack centred on Dyn, a domain name systems (DNS) provider that essentially acts like a phone book for major sites such as Twitter, Amazon, Tumblr, Reddit and Spotify.
The DDoS attack aimed a firehouse of traffic at the company, apparently making use of millions of insecure internet-connected devices like baby monitors, digital video recorders and smart fridges, rendering it unusable.
What’s worse, all those Internet of Things (IoT) devices could have been located anywhere, including Australia.
According to a statement from Dyn’s chief strategy officer Kyle York, the initial attack mainly impacted internet users on the East Coast of the U.S., however a second wave “was more global in nature.”
There were reports of users unable to access sites in Europe, and according to the digital performance monitoring company Dynatrace, Australian sites affected included banks such as ANZ and Westpac, and supermarkets Coles and Woolworths, among others. All have been contacted by Mashable for comment.
“It also looks like Australia was impacted by all three of the US attacks,” Dave Anderson, data expert at Dynatrace, told Mashable in an email.
“While not as severe as the US, Australian sites were definitely experiencing performance problems as a result of the DDoS attacks overnight. Of the sites we’ve monitored, we can see that the average DNS connect time spiked to about 8 seconds, when normally it would average 3 milliseconds.”
Dyn opened a Sydney office in 2014 and has also been contacted by Mashable for comment.
While he couldn’t comment on the impact of the DDos attack in Australia, Liviu Arsene, senior analyst at internet security software company Bitdefender, told Mashable any type of internet infrastructure, regardless of its location, could be vulnerable to a similar attack.
“Why? It’s pretty simple. You can use that massive botnet to disrupt anything,” he explained. “We are so interconnected … You can target two or three or four hubs, and you can really paralyse the global internet infrastructure, and that will cause a serious outage.”
“It’s pretty simple. You can use that massive botnet to disrupt anything.”
Michael Sentonas, vice president of technology strategy at CrowdStrike, said Friday’s event certainly had potential flow-on effects for online platforms around the world.
In the future, Australia can’t count itself out as a target. “You can point fake junk traffic at any type of online target,” he said. “There’s no reason this could not be targeted at infrastructure in this part of the world.”
So far, there has not been an incident on such a significant scale in Australia, although he suggested we saw a classic DDoS event as users tried to logon to complete the 2016 Census, an incident that allegedly cost Australian taxpayers A$30 million ($22.78 million).
After Friday, some experts have called for regulators to get involved and ensure smart devices with little or no security can’t be turned into some sort of DDoS zombie army.
Sentonas suggested a balance must be found between IoT innovation and ensuring people aren’t building insecure products. “Some of them don’t have any capability to be updated and secured in an easy fashion,” he pointed out. “That needs to change for obvious reasons.”
“Something has to happen,” he added. “We can’t have a situation where devices with factory settings can be used to do what we saw on the weekend.”
At the very least, consider this a PSA: If you own a smart fridge or baby monitor, change your password (if the manufacturer was smart enough to give you that option).
“I would recommend for the average user who has internet connected devices, is at least make sure they have the latest security update. At least make sure you change the default password,” Arsene said. “We need to all make sure these smart devices cannot be used to disrupt services.”