Shouldn’t My Router be Preventing the Dyn DDoS?
This week we saw yet another hint of the new kind of warfare coming to a planet near you!
The DDoS attack against Dyn was remarkable for its intensity, and the claim is that it was because now all our Internet of Things devices have been turned into bots.
Yeah, no shit. This was a warning that people were talking about years ago when IoT was the next big thing. Pretty much everything with a MAC address is a potential bot.
Why Don’t We Care About Security?
But DDoS is pretty basic. Clearly this was a little more than just plain vanilla DDoS, because Dyn blocked the first inward vector (presumably some predictable pattern of request) within an hour or so, and then the next vector, a different pattern I would guess, was launched. But while it used all of our insecure devices and was set to anticipate a response, it’s still not undetectable.
Yeah, I know, it’s effectively impossible to completely secure anything. A while ago I changed my view that our focus should be less on lockdown and more on post-breach detection and mitigation. Assume your system is breached — it’s a very different problem.
Our Devices Need to be Smarter
I work on data science, which is partly just pattern detection. I walk in every morning and expect to see the same activity histograms on my Hadoop dashboard, and the same 10 emails reporting success. If I don’t, something changed.
Let’s just think about our homes for a minute. I think I heard some stat that the average US home has 13 internet connected devices. The computer I am typing on is one, but it’s a little different.
But my TiVo, Apple TV, my AV Receiver, my printer, my Nest thermostats, etc. — unlike my computer, they all pretty much do one thing over and over. I don’t necessarily expect my router to detect that the devices it supports have been hacked. But I do expect my router to say, “Gee, that’s odd that the thermostat is making the same request 10 times a second to a new place, and has been for a minute”.
At first the router may not even need to detect the pattern anomaly. But at least when a new device joins the network ask it to declare it’s intent. Or at least let me tell the router that my thermostat should not be making more than a few requests per minute through some simple thresholds or governor settings.
Partially Self-Bricking, With Notification
Either a device or the router that handles its traffic should be able to just disconnect, or at least throttle it, and send off an emergency alert.
Would this be annoying? Yep. War is annoying, too.
National Security isn’t Rocket Science any more, it’s Computer Science
Building rockets to launch nukes made us feel safer in the cold war. Rocket scientists were notoriously smart. But computer scientists will solve this one.
But folks, we don’t have to be rocket scientists to at least blunt this obvious attack vector. DDoS is a kind of inherently dumb and brute force tool — think medieval.
And here’s the thing: if our devices self-bricked, or were shut down by our router, we would know. My coworker, Warren is fond of using the strategy of shutting things off to see if they are still being used — it’s far more effective and immediate than asking.
If something stops working and I got some simple alert somehow — flashing amber light? — I would know, or someone would, and then we could sanitize, and possibly even inoculate the device.
Inconvenient, yes. Disruptive and frustrating, perhaps. But wouldn’t that lead to demand for more clever devices and ISPs that could do a better job of prevention, detection, and mitigation?
ISPs Should Be Smarter, Too
While I don’t necessarily expect my router to be that much smarter, I sure as hell expect my ISP’s router to figure out something is not right and shut it down. My son decided it was a good idea to BitTorrent a movie. Verizon figured out that this had happened and sent me email saying this was a copyright violation.
So don’t be telling me they cannot identify a pattern — in the copyright case, they just had proper incentives to do so (thanks Sony!), and that’s a much, much harder problem.
ISPs also need to detect because one of the IoT devices I have in my house is the router, so once it’s compromised, it probably can’t do much to protect my house. We already have billions of dumb internet connected devices that are installed and active, so it’s going to take years for them to get smarter. The ISPs pay for really powerful routers and other systems. They are a key line of defense here.
Seriously, if it really was IoT devices from all of our houses that caused this problem, it means Verizon, Comcast, ATT and all the rest were blindly letting a hugely anomalous stream of traffic through their pipes, all looking remarkably the same, and doing not a damned thing.
IoT Devices Need Upgradable Firmware, Maybe Automatic
If we can (finally) get some reliably public key signing system in place that companies would actually use, we could have a reasonably safe system for allowing devices to get firmware upgrades that would allow them to be a bit more nimble in responding to new threats. Most devices allow firmware upgrades, but it has to be automatic, and if automatic, it has to be securable.
Firmware upgrades are also a new opportunity to spread the bots that cause these attacks, so we do indeed need to make some sort of public key signing system that’s feasible and easy to use for companies.
At some point, if we know we’re compromised and have a way of removing the threat and adding some basic defenses, we have begun to finally stop ignoring security.
Big Government Needed?
Some of this just has to become law. We have a “tragedy of the commons” problem until then — no individual actor, consumer, manufacturer, service provider has incentive enough to be the ones to spend time working this out for their device.
So we need a law or two. We have mandated that cars get better mileage. Can’t we mandate that internet connected devices have some basic protections?
Time for us to put away our battle axes and shields, and invent some high-tech, Second-Amendment-worthy defenses in our home and work networking systems.
