Just before five in the afternoon, and like every other Friday after getting off the office, workers got on the train thinking that their commute would be the same as any other day. However, they soon realised that their journey was going to be one of the most boring commutes in recent memory. Twitter, Spotify and Netflix, among other services, were not working and it wasn’t clear why. Hours later, Dyn, one of the companies that supports many of these services, communicated that its DNS infrastructure was currently the target of a massive DDoS attack.
What is DNS?
The domain name system (DNS) is a key part of the Internet, with its main function being to assign domain names to IP addresses; in other words, it is what allows us to access a service without needing to remember its IP address. Therefore, a DDoS attack targeted at a DNS with the goal of flooding it with unwanted traffic would prevent domain names from being found and users from connecting to their desired platforms. In this case, in spite of a robust and distributed DNS infrastructure, Dyn was not able to deal with the attack that originated from close to 10 million IP addresses.
This only finds purchase following the increase in devices that connect to the Internet, driven by the emergence of the Internet of Things (IoT). The IBSG, the Cisco Internet Business Solutions Group, predicts that some fifty billion devices will be connected by year 2020. In this sense, the field of exposure will increase exponentially, and with it, the possibility to have devices for malicious purposes through networks of remotely controlled computers used to carry out DDoS attacks. This is the theory held by Dyn which, with the help of Flashpoint and Akamai, has managed to identify IoT devices compromised by the Mirai botnet whose source code was recently released.
On the other hand, the security firm RSA had evidence that in early October a botnet with infected IoT devices was advertised for sale on a Tor network forum. Its seller stated that this was based on the Mirai botnet and that it had the capacity to generate traffic up to one terabyte per second, similar to that generated by the attack recently carried out against the French hosting company OVH. The price was set from 4,600 up to 7,500 dollars, according to the volume of contracted systems -not a very high price when taking into account the impact it has had at a global level.
The alleged perpetrators
In reality, it is not clear who is responsible for the attack. On the one hand, Wikileaks confirmed that some of its followers could be responsible for the attack, in protest against the Ecuadorian government’s decision to cut Internet connection to Julian Assange, the Wikileaks founder, in response to the recent publication of information leaks regarding the United States elections. On the other hand, Pierluigi Paganini, author of the website Security Affairs, contacted the NewWorldHackers group via Twitter, wherein said collective assumed responsibility for the Dyn company attack in collaboration with other groups linked to Anonymous.
ElevenPaths, on constant alert
Having cybersecurity investigation capacities is essential to understanding what has happened in an given incident. However, the Internet is a medium in which evidence can be easily modified and become contradictory, for which reason, and particularly in cyberspace, it is necessary to constantly contend with uncertainty and the chaos of information. Within this context, Telefónica as a telecommunications company, and ElevenPaths, as its cybersecurity unit, holds a privileged position to respond to threats originating from the web.