Parent Category: 2017 HFE
By Tom Perkins
Thermostats that learn; sensors that detect a burst pipe or clothes washer hose and then shut off the water; a talking doorbell with camera; smart light bulbs; security cameras; smoke and carbon monoxide detectors that turn off HVAC systems and are connected to smart phones. These are some of the fledgling entrees into Smart Home Technology broadly forming the Internet of Things (IoT).
On 21 October there was a situation where major websites were suddenly not accessible across North America and Europe. A successful and rapidly growing company named Dyn, headquartered in Manchester, New Hampshire, was suddenly at the center of worldwide attention.
This company manages significant portions of the internet’s infrastructure, and according to news outlets, it was “attacked.” Popular websites like Airbnb, Etsy, Netflix, Reddit, and Twitter were affected. Dyn, a company co-founded at Worcester Polytechnic Institute (WPI) in Massachusetts, by the son of a microwave colleague of mine, has servers that monitor and reroute internet traffic. Dyn is reported to handle about 40 billion interactions per day. On 21 October it experienced a Distributed Denial of Service (DDoS) attack at about 11:00 UTC. The problem persisted for most of the day, moving westward in the United States in waves. As a DNS provider, Dyn provides end use subscribers with internet domain-name mapping. The DDoS attack was accomplished through a huge number of DNS lookup requests from many millions of Internet Protocol (IP) addresses.
It is believed that the attack was significantly aided by hundreds of thousands of internet-connected devices such as baby monitors, remote cameras, and home routers that had been infected.
This can be done generally without the owner’s awareness. Hackers overwhelm a target with massive amounts of traffic. These types of attacks appear to be on the rise. With the proliferation of Internet of Things (IoT) this vulnerability is likely to only increase with time. This has great security implications. An attack on internet infrastructure providers can have greater consequences than disrupting one website. In this case the attack is reported to not have affected websites, but prevented users from gaining normal site access. It was reported that internet-connected devices had be co-opted by a malware by the name of Mirai.
Incidentally, probably unrelated to the event, on 21 November Dyn announced that they would become part of tech giant Oracle, a Fortune 100 company. The deal is reported to possibly be worth more than $600 million. Whether this action will have impact on Dyn’s susceptibility to hacking is to be determined.
Easy to Do
According to Infoblox technologist Cricket Liu, generating a DDoS attack using Domain Name System (DNS) infrastructure is remarkably simple: “The attackers send queries to name servers across the Internet, and those name servers return responses. Instead of sending the queries from their own IP addresses, though, the attackers spoof the address of their target -- which could be a Web server, a router, another name server, or just about any node on the Internet. Spoofing DNS queries is particularly easy because they are usually carried over UDP (the connectionless User Datagram Protocol). Sending a DNS query from an arbitrary IP address is about as simple and has roughly the same effect as writing someone else’s return address on a postcard.”
Organizations have begun deploying Domain Name System Security Extensions (DNSSEC). DNSSEC stores cryptographic keys and digital signatures in records in the namespace. These are long addresses. The size of the response is 4,077 bytes, compared with a query of just 44 bytes. Attackers thus can take advantage of the fact that for each 44-byte query, that a Web server receives a 4,077-byte response, for an amplification factor of almost 93 times. Assume an attacker has a modest 5 megabits per second (Mbps) connection to the Internet. As 1 bit equals .125 bytes, they can send about 14,200 44-byte queries across that link per second. This query stream would result in 465 Mbps worth of replies reaching the victim Web server. Thus every 2.15 attackers represent 1 Gbps. This could easily be accomplished by a botnet, a small group of compromised computers.
The ultimate effect is very destructive. In their quarterly global DDoS Attack Report, Prolexic (a DDoS-mitigation company) reported a recent DNS-based attack against a customer that topped 167 Gbps. Prolexic further reported that average DDoS attack bandwidth was up 718 percent to 48 Gbps in just 3 months. State-of-the-art DDoS attacks against DNS infrastructure can exceed 100 Gbps.
One partial solution is to organize servers to recognize that they’re being queried over and over for the same data, from the same Internet Protocol (IP) address. Well-trained, dedicated administrators will configure access controls on their recursive name servers to limit their use to authorized systems.
The Open Resolver Project (openresolverproject.org) has collected a list of 32 million open recursive name servers. Hackers can fire spoofed queries at as many of these as possible until they are overloaded and fail. There are many ways to combat these attacks.
The DNS infrastructure needs to have alarms to detect an attack by determining the query load. One way to do is to employ Berkeley Internet Name Domain (BIND)’s built-in statistics support. Make sure Internet-facing infrastructure is robust and minimize opportunities for single point failures. Widespread geographical distribution of external authoritative name servers will likely help.
A somewhat obvious way to combat DDoS attacks is to overbuild or overprovision the infrastructure. Overprovisioning name servers isn’t necessarily prohibitively costly. A good server can handle hundreds of thousands of queries per second. This consideration must be examined in light of internet infrastructure robustness such as firewall strength.
Using Anycast, one of several network addressing and routing techniques, can also help resist a DDoS attack. Anycast allows multiple servers to share a single IP address. To deploy Anycast, the hosts supporting name servers will need to run a dynamic routing protocol. The routing process will advertise to its neighbor routers a route to a new, virtual IP address on which a name server listens. The routing process also needs to be smart enough to stop advertising that route if the local name server stops responding.
Anycast defends against DDoS attacks by distributed groups over wide areas, e.g., continents. A host mounting a DDoS attack can only send traffic to one member of either group from any point on the Internet at a time. Unless attackers can source enough traffic from say, North America, Europe, and Asia simultaneously to swamp one’s infrastructure, they won’t succeed. Use of a cloud-based DNS provider also can also fend off an attack.
Possible Mitigation in the Microwave/Wi-Fi Realm
There are possibly cooperative techniques to prevent disruption and hacking beyond wide server distribution, enhanced protocols, improved firewalls, vigilant monitoring, and overbuilding or redundant infrastructure. One defensive technology as the IoT proliferates into perhaps 25 to 50 billion devices deployed by year 2020 is Low earth Orbital (LEO) satellite-enabled high data rate communications networks called the Internet of Space (IoS). There will be challenges, such as hand-off coordination, but network latencies will be reduced and application of phased array technology and advanced CMOS will help.
Plans are in the works to manufacture and deploy several thousand micro-satellites. Other schemes include hybrid optical/RF networks, and augmentation platforms ranging from geostationary satellites, drones and possibly balloons. Chip scale phased array System on Chip (SoC)s using inexpensive silicon with adequate effective radiated power (ERP) to make links with LEO satellites are expected to be a significant enabler. In addition, there likely will be a reshaping of US national security policy with new Presidency and government agency leadership. Significant effort will be needed to identify and neutralize the sources of the hacking. Also, improved firewall techniques and counter-threat technology will need to be rapidly developed and deployed in order to curb future attacks.
More IoT Coming Quickly
So considering rapidly emerging smart technology, we have a full-up IoT scenario. As currently perceived, the system will depend almost entirely on wireless techniques. IoT devices will open things, turn things on and off, control indoor climate, provide safety, and many other operations. Microprocessor-based sensors will permit interaction with other devices and many functions will be controlled by smart phones or whatever their successor personal devices will be called.
A new product called Google Home is a Wi-Fi speaker that also works as a smartphone control center and a family assistant. It can enable entertainment playback throughout an entire house and effortlessly manage routine tasks, and ask Google questions. This is an example of an element of the internet that could be vulnerable in the future. Another is Amazon Echo.
These are “smart” wireless speaker and voice command devices. They are capable of voice interaction, music playback, making to-do lists, setting alarms, streaming podcasts, playing audiobooks and providing weather, traffic and additional real time information. They can also control multiple smart devices using themselves as a home automation hub. Echo provides Wi-Fi 802.11a/b/g/n and Bluetooth Advanced Audio Distribution Profile support. These will likely be vulnerable to direct attack and disruption, directly, and as a vehicle to other internet activity.
Unfortunately, there will always be bad actors and entities trying to destroy devices that are intended to advance technology and the comforts of modern life for the rest of us.
About the Author
Tom Perkins is HFE’s Senior Technical Editor.
The March 2017 Online Edition is now available for viewing and download!
Advertising Sales - Western U.S. - New Accounts
Advertising Sales - Central US
Fax: 773-275- 3438
Advertising Sales - UK and Europe
+44 1883 715 697
Fax: +44 1883 715 697
Advertising Sales - UK and Europe
+44 1923 852 537
Fax: +44 1923 852 261
Advertising Sales - New Accounts & Product Showcase