The 2016 Dyn Attack and its Lessons for IoT Security
On October 21, 2016, the largest distributed denial of service (DDoS) attack took place, shutting down most of the Internet, including Twitter, Amazon, GitHub, and the New York Times. The attack targeted Dyn, a company that services a large share of the internet’s domain name system (DNS) infrastructure, and lasted for most of the day. The type of malware used for the attack, which leveraged IoT devices rather than computers, resulted in an extraordinarily malicious attack, “roughly twice as powerful as any similar attack on record.”
What made the Dyn attack unique was that the perpetrators used a specific type of “botnet” malware, which infects a network of computers and coordinates them to bombard specific servers with web traffic until the servers collapse. The Dyn attack used a “Mirai botnet,” which used internet of things (IoT) devices instead of computers. Employing this strategy gave the hackers many more devices to choose from (between 50,000 and 100,000), including home routers and video recorders.
The perpetrators were able to access these IoT devices by hacking into them. Most of the IoT devices used for the Mirai botnet were running on default credentials. In fact, after the attack, the Mirai source code was posted online and included default credentials for more than 60 devices.
The attack taught the world several valuable IoT security lessons:
- Devices should always be able to have their software, passwords, and firmware updated. If these features cannot be updated, these devices should not be implemented as they are too vulnerable to attacks.
- Users should not be allowed to keep default credentials.
- IoT devices should require unique passwords per device.
- IoT devices should always be patched with up-to-date software and firmware.
Along with security lessons, the Dyn attack also showed the need for increased consumer vigilance regarding IoT devices. The devices presented a new point of vulnerability for both consumers and the Internet in general, and the attack taught a valuable lesson that with new technology and convenience also comes the need for increased awareness.