Beginning early on October 21, 2016, Dyn, a New Hampshire based internet service company, was the victim of three distributed denial of service (DDoS) attacks. The first attack began at 7am ET and was resolved within about two hours. A second attack began just before noon and a third attack just after 4pm ET. Described by Dyn as a “sophisticated attack across multiple attack vectors and internet locations” the attacks affected websites including Spotify, Twitter, Reddit, the New York Times, and SoundCloud.
Techs and Specs – What is DDoS?
Domain name system (DNS) servers, such as those operated by Dyn, help translate a URL into an IP address. In other words, when you enter a URL like www.passwordprotectedlaw.com into your internet browser, the DNS server works to translate and configure the URL you entered into an IP address that sends you to the website you asked to visit.
DNS servers can only manage a certain number of requests at one time. DDoS attacks are successful because they overwhelm DNS servers by flooding the server with fake requests. Like getting a busy signal when too many people call one phone number, if the DNS server is inundated with requests to connect to an IP address, it can no longer process those requests and the system stops working – just like it did Friday.
These malicious requests are powered by malware known as botnets. Botnets infect and take control of unprotected devices (such as CCTVs, DVRs, and other “Internet of Things” (IoT devices) without the user’s knowledge. Dyn confirmed that, at least in part, the DDoS attack on Friday was a result of botnet malware known as Mirai. Mirai infected inadequately secured devices by searching for and infiltrating devices that used default passwords. Once Mirai infected the devices, it used the devices to send an overwhelming number of fake requests to Dyn, which overloaded its system. These fake requests, in turn, prevented legitimate requests from being processed and therefore stopped legitimate users from accessing various websites that used Dyn DNS servers.
Responsibility and Liability
Unfortunately, these attacks are likely to proliferate because there is a low barrier to entry and it can be difficult to determine attribution for attacks. For example, the Mirai botnet source code was made public in September 2016 thereby allowing any person or criminal enterprise to take and use the code for malicious purposes.
Cyberattacks, like the one on Friday, can cripple businesses by disrupting revenue. Moreover, to the extent that cyberattacks expose data security vulnerabilities, the attacks can potentially expose a company to liability. For example, the Federal Trade Commission brought action against LabMD for having insufficient data security practices. As these attacks become increasingly common, federal and state agencies will continue to closely monitor business data security practices.
To help avoid liability and mitigate damage from a DDoS, or other cyberattacks, keep in mind the following:
- Practice Information Governance: understand your network, know and safeguard your sensitive data, and train your users.
- Educate employees about the threat of phishing – which is the most popular delivery method for malware, including botnets.
- Understand what your DNS server provides and how it protects against and responds to service disruptions.
- Ensure that all devices on your network – CCTVs, Wi-Fi routers, and webcams – are reasonably secure and updated, for example, by changing default passwords and regularly updating patches.
- Implement intrusion detection/prevention and malware prevention systems to detect and alert on malicious traffic traversing your network.
- If possible, isolate or limit IoT traffic on your network to only essential devices.