So, you have an internet-facing server. Perhaps a slew of servers. Maybe webservers. Mailservers. Nameservers. Some sort of hardware that requires connection to internet. Requests come in and responses are served. All is good.
If you lean close to the server racks, you can hear the packets coming in. The sound is like gentle snowflakes drifting into a partially open window. The partially open window is your firewall, the open part is the internet-facing port. Your server tosses back useful snowflake replies. All is running as expected.
You also hear pops of occasional sleet hitting the window. Those are port scans. Someone, or some thing, is probing your trusty firewall for holes, for useful, vulnerable open ports. But your firewall is properly set up and no sleet gets in.
Occasionally you hear an increase of sleet against the window. Someone, or something, is port-scanning, trying a bunch of ports in sequence. No worries.
But then – cue scary music – you hear something else. It’s thrown-hard packed snowballs. A snowball storm, straight into your open window. The hail storm is a Denial of Service Attack. Worse, it’s a Distributed Denial of Service Attack, coming in from many, maybe thousands and thousands of sources. Imagine thousands of robots with glowing red eyes lining up in front of your open window, all maliciously chunking ice-packed snowballs as fast and hard as they can throw. Your server is no match. It cannot reply to the legitimate traffic now lost in the fury and noise. In fact, it is overwhelmed with all the requests. Instantly, all legitimate traffic is slowed down to a crawl. Users out in the vast internets, the endless ethers, see this as slow responses or no response a’tall. People begin to hop on Twitter and crank out frustrated tweets.
The aforementioned port-scanning, usually, typically, more than not, is done with the trusty program nmap, might look as shown in this video of visualization via Gource. Notice the nmap scan erupting at 0:33 or so.
Gource is OpenGL-based 3D visualization tool originally for source control repositories. In the above case, gource is plumbing a PF log, as described here. This makes for useful, colorful, fun visualization.
So what does a DDoS attack – the fast and furious snowballs, in our wintry analogy – look like if visualized from the log of, say, a webserver? It looks like this, as recorded from the visualization software Logstalgia:
…as compared to tranquility of routine traffic:
Another DDoS as visualized by Logstalgia:
And another:
In this case, notice how the DDoS attack is circumvented when the firewall triggers and adds the IP addresses to the blocklist:
And also like this, as recorded from the Norse Attack Map in the early morning hours of November 29, 2014:
And this, on Christmas Day 2015:
And this, October 2016:
A takeaway from those videos is it’s always a good idea to pair epic ominous music to DDoS attack videos. The second takeaway is, like, OMG.
Aside from preventing users access to their favorite websites, social media, or your own web applications and whatnot, what else could go wrong? Well, the heat could be turned off. Across entire cities. A bad thing during winter, especially places where winter is serious business.
What are the sources of such horrific attacks, originating from thousands of IP addresses? In a word, botnets. A botnet is a bunch of machines, a network of machines, corralled to do nefarious things to other machines on the internet. Botnet actions are communicated and controlled by Command and Control infrastructure.
How can this possibly happen, you may ask. In the olden days, say, last year or so, botnets were usually comprised of commandeered personal devices, usually without their owners’ knowledge. Taking over computers, in other words, recruiting computers, is accomplished in a number of ways. One of the most common is phishing, whereby naive users are tricked by spoofed email that appears to be email from someone or some institution they trust. Typically, such email is HTML-based, constructed to be an exact duplicate of legit email with hidden links and/or executing code. Corporations continue to use HTML-based email even though anyone can duplicate it and pepper it with all sorts of hidden land mines. (Safety Tip: Just switch the emailer to always strip HTML and only show plain text and only send plain text.)
But there are new botnets in town. Botnets weaved of things on the internet. Devices of the Internet of Things realm. All those things being hooked up to the internets and webtubulars. Your basic light controllers, smart refrigerators, DVRs, IP cameras, garage openers, coffee makers, on and on. For the “smart” home, using “smart” things. Alas, things not so smart as manufacturers did not take security seriously. Easy factory default passwords. Easy access. Phishing not required. Just sneak right in and install malware from afar.
All along, as the Internet of Things proliferated across the world, such things could easily be searched and discovered and possibly exploited.
Anyone can do it. In fact, it’s a good idea to run the search on IP addresses you want to protect, just to see what shows up. A good infosec defense always starts with tests and a profound understanding of your own, or your company’s, digital footprint. For example, what cams can be seen by everyone? What devices in the house or company that were intended for only infranet use are visible on the internet, perhaps due to shoddy firewall work or poor security implementation of the device itself? These are really good things to know. Someone will know and the sooner you know, the sooner you can fix it, shore up defenses, protect stuff. One search engine for finding exposed devices on the internet is Shodan.
In Part II of this series, we’ll talk about all those vulnerable things on the internet herded into huge, monstrous botnet leviathans. In the meantime, as you study the superb Mouser Electronics website for sturdy components to include in your next cool IoT device design, be sure to think about how easy it is to find your IoT devices on the internet and the advantages of designing in security from the start.