Last Friday (Oct 21) occurred large two-part distributed denial-of-service (DDoS) attack which rendered couple of important websites inaccessible for my day-to-day workflow (GitHub, Amazon, Twitter,…). Technically you could still access the site, just not by URL which is a human-friendly website address, but by IP address which is an actual way how machines identify each other in a network like Internet. Or if you lived in Asia at that time. That’s because DDoS attack was targeting Domain Name System, a system which maps URL address to IP address.
In this week a lot has been written about the attack, what happened and how. Some sites even discussed about who might be behind it and why but this is just gossip. Besides there’s an ongoing investigation by US authorities and I’m sure findings will be available publicly.
So here’s few links to articles describing the attack and how it happened:
- Dyn Analysis Summary Of Friday October 21 Attack
- Trust isn’t easy: Drawing an agenda from Friday’s DDoS Attack and the Internet of Things
- Dyn DDoS attack sheds new light on the growing IoT problem
For me the most surprising thing was it came from millions of compromised Internet of Things devices. Such devices can be any object that is connected to the Internet (cars, buildings, gadgets, household devices like phones, toasters) which collects and exchanges data. As a computer engineer I’m pretty good educated when it comes to internet security (as in “everything can be hacked”). I’m so reluctant to put my trust in those devices.
Consider the following made-up story: I have a beef with neighbor who is by chance a world-class hacker. Next time I use mixer in kitchen, the neighbor turns it on remotely. Me being so surprised drops it on my foot and injuries me. Same goes for autonomous cars which are getting more and more spotlight recently. Ability to remotely control one device is not worth endangering my life.