{"id":4780,"date":"2016-11-01T15:52:27","date_gmt":"2016-11-01T19:52:27","guid":{"rendered":"http:\/\/ncjolt.org\/?p=4780"},"modified":"2020-06-04T20:52:58","modified_gmt":"2020-06-04T20:52:58","slug":"ddos-attack-exposes-vulnerability-internet-things","status":"publish","type":"post","link":"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/ddos-attack-exposes-vulnerability-internet-things\/","title":{"rendered":"DDoS Attack exposes Vulnerability of Internet of Things"},"content":{"rendered":"<p>On Friday, October 21st, attackers controlling a vast collection of internet connected devices launched a <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.wsj.com\/articles\/denial-of-service-web-attack-affects-amazon-twitter-others-1477056080\">denial-of-service attack<\/a><\/span> on web technology provider Dynamic Network Service, Inc., also know as Dyn. Dyn provides domain name system services to many popular websites, which is a key part of the &#8220;<span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.wsj.com\/articles\/denial-of-service-web-attack-affects-amazon-twitter-others-1477056080\">digital supply train<\/a>&#8220;<\/span>\u00a0which allows users to access websites like Twitter and Netflix. The attack serves as a validation for those that have <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.computerworld.com\/article\/2476652\/cybercrime-hacking\/can-apple-keep-us-safe-in-the-internet-of-things.html\">long warned<\/a><\/span> that the &#8220;<span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"https:\/\/www.technologyreview.com\/s\/602713\/how-the-internet-of-things-took-down-the-internet\/\">Internet of things<\/a><\/span>&#8221;\u00a0(referring the the multitude of common household devices that are connected to the internet) has created an opportunity for hackers to infiltrate average American households. While many will dismiss Friday\u2019s internet outage as a mere inconvenience, the attacks pose a threat to average Americans and large corporations alike.<br \/>\nFriday\u2019s attack was a large distributed denial of service or <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"https:\/\/www.technologyreview.com\/s\/602713\/how-the-internet-of-things-took-down-the-internet\/\">DDoS<\/a><\/span>, which aims to overwhelm servers with data requests from hundreds of thousands of internet devices. These often innocuous pieces of hardware (like thermostats or security cameras) sent requests to Dyn\u2019s DNS servers in such volume that some of Dyn\u2019s <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.forbes.com\/sites\/thomasbrewster\/2016\/10\/23\/massive-ddos-iot-botnet-for-hire-twitter-dyn-amazon\/#66e5932fc915\">clients<\/a><\/span> (like Amazon Web Services) experienced outages as well. In the past hackers have targeted home computers with malware in order to create a &#8220;<span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.telegraph.co.uk\/technology\/0\/what-is-a-ddos-attack-and-could-my-computer-be-a-weapon\/\">botnet<\/a><\/span>&#8221;\u00a0or network of compromised computers that don\u2019t appear compromised, but can be utilized at a hacker\u2019s command to terrible effect. However this attack utilized a large number of internet connected devices, including some web cameras that have now been <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"https:\/\/techcrunch.com\/2016\/10\/24\/webcams-involved-in-dyn-ddos-attack-recalled\/\">recalled<\/a><\/span> by their Chinese manufacturer. While some devices don\u2019t have robust protection mechanisms, others like Apple\u2019s <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.computerworld.com\/article\/3134042\/apple-ios\/ddos-attack-apple-s-homekit-for-a-safer-smarthome.html\">HomeKit<\/a><\/span> implement tough security and privacy protections.<br \/>\nSome sources have <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"https:\/\/www.schneier.com\/blog\/archives\/2016\/09\/someone_is_lear.html\">speculated<\/a><\/span> that attacks such as these are simply attempts by an unknown party to probe \u201cthe defenses of the companies that run critical pieces of the Internet.\u201d This possibility adds an extra element or urgency to a situation that already involved the privacy and protection of millions of Americans. Many sources have highlighted the <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.techrepublic.com\/article\/dyn-ddos-attack-5-takeaways-on-what-we-know-and-why-it-matters\/\">fragility and insecurity<\/a><\/span> of Internet of things devices, and that such devices will continue to be likely targets for hackers in the future.<\/p>\n<blockquote><p>\u201c<span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.techrepublic.com\/article\/dyn-ddos-attack-5-takeaways-on-what-we-know-and-why-it-matters\/\">Bob Gourley<\/a><\/span>, co-founder of the cyber security consultancy Cognitio and former CTO of the Defense Intelligence Agency, said that DDoS attacks are up 75% this year, and that the average size of these attacks is growing.\u201d<\/p><\/blockquote>\n<p>Experts attempting to pin down the motivation behind the attacks have cited reasons ranging from politics to revenge to money, but also suggested has been industrial sabotage. <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"https:\/\/arxiv.org\/pdf\/1508.03410v1.pdf\">Researchers<\/a><\/span> have found that many hackers sell the services of their botnets online, usually utilizing PayPal or Bitcoin to exchange payment for their services. Following the release of the source code for Mirai, a control software, criminal gangs have begun charging to employ it in <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.reuters.com\/article\/us-usa-cyber-idUSKCN12L1ME\">cyberattacks<\/a><\/span>. In fact, some individuals have explicitly <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.forbes.com\/sites\/thomasbrewster\/2016\/10\/23\/massive-ddos-iot-botnet-for-hire-twitter-dyn-amazon\/#4588fbe3c915\">advertised<\/a><\/span> for sale the use of an internet of things botnet created from Mirai code, asking as little as $4,600 for control of 50,000 bots, while 100,000 cost only $7500.<br \/>\nBig businesses are in prime position to suffer from DDoS attacks, but can <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.reuters.com\/article\/us-usa-cyber-idUSKCN12L1ME\">protect<\/a><\/span> themselves by utilizing multiple vendors for core services like routing internet traffic in order to better protect themselves. However, Internet of things creators also have a <span style=\"color: #0000ff\"><a style=\"color: #0000ff\" href=\"http:\/\/www.techrepublic.com\/article\/dyn-ddos-attack-5-takeaways-on-what-we-know-and-why-it-matters\/\">duty<\/a><\/span> to implement stronger standards and protocols for security for products that they sell to the American public. Most users of home computers are oblivious to potential security issues regarding their machines, and would be even less aware of the threat posed by unsecured internet connected devices. Hopefully this attack will serve as a wake up call for American companies, citizens, and the US government to take proactive steps to increase protections for internet connected devices and to secure critical internet infrastructure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On Friday, October 21st, attackers controlling a vast collection of internet connected devices launched a denial-of-service attack on web technology provider Dynamic Network Service, Inc., also know as Dyn. Dyn provides domain name system services to many popular websites, which is a key part of the &#8220;digital supply train&#8220;\u00a0which allows users to access websites like <a href=\"https:\/\/journals.law.unc.edu\/ncjolt\/blogs\/ddos-attack-exposes-vulnerability-internet-things\/\" class=\"more-link\">&#8230;<\/a><\/p>\n","protected":false},"author":1,"featured_media":4781,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[51],"tags":[],"_links":{"self":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/4780"}],"collection":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/comments?post=4780"}],"version-history":[{"count":1,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/4780\/revisions"}],"predecessor-version":[{"id":7142,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/posts\/4780\/revisions\/7142"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media\/4781"}],"wp:attachment":[{"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/media?parent=4780"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/categories?post=4780"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/journals.law.unc.edu\/ncjolt\/wp-json\/wp\/v2\/tags?post=4780"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}