Can standards help prevent DDOS attacks or – is it beyond industry’s control?
We have seen the increase in DDOS attacks and witnessed the damage they inflict on Internet performance and server accessibility, negatively affecting our business enterprises and our mission critical operations. One example from 2016 that had a major and far reaching impact, was the DDoS attack against Domain Name Service (DNS) service provider, Dyn. How did that incident occur and could it have been prevented? Would conformance to existing standards have helped?
First, how did the Dyn incident cause such a large impact, preventing access to major internet services like Amazon, Netflix and others? The Dyn attack took advantage of a large number – some sources cite 10s of millions of devices connected to the Internet. In this case the devices were primarily consumer devices - the type that make up the ever expanding “Internet of Things”- devices such as printers, surveillance cameras, routers and even baby monitors that had been vulnerable to infection by the Mirai malware. This widespread infection was used to create a botnet that carried out the largest DDOS attack to date.
The Mirai malware, which had been published by hactivists as open source shortly before the attack, scans for and infects vulnerable IoT devices using known and readily available passwords. Once a vulnerable device is found, the device is infected and becomes part of a Mirai “botnet”, which can then be used to launch DDoS attacks from millions of devices. Once activated the botnet then sent an estimated 1 terabytes / second to the Dyn’s DNS servers. Many major companies use Dyn for that translation, so when the botnet flooded Dyn with requests from infected devices, the legitimate requests to reach those companies were denied.
Would standards have helped mitigate this? Ultimately this attack was primarily a consequence of users not changing the default passwords on their devices once they were connected to the Internet. One might call this operator error – but it can also be tied to poor practices on the provider side by manufacturers not communicating the importance of changing default passwords. In other cases, manufacturers were shipping those devices with the well-known default passwords hardcoded in the firmware of the product. Consequently the operators could not change the password without getting a new product. In both cases, the devices were left vulnerable.
Could either of these causes have been prevented by conformance to security standards?
One standard that addresses these product integrity and supply chain security issues is the Open Trusted Technology Provider Standard (O-TTPS), recently approved as ISO/IEC 20243. It is a set of best practices to be applied throughout the product’s life cycle (design to disposal) – including supply chains – in order to reduce the risk of tainted (e.g. malware enabled or malware capable) and counterfeit components (hardware and software) from making their way into products that are connected to the Internet. This particular standard also has a conformance program that identifies Open Trusted Technology Providers who conform to the standard.
In the case of the Dyn incident, if the vendors of the IoT devices had followed O-TTPS’ requirements for vulnerability analysis and notification of newly discovered and exploitable product vulnerabilities, the vulnerability which allowed this massive botnet to be assembled would have been caught and the attack vector blocked.
So, can standards prevent DDoS attacks? We can’t prevent these attacks, but following standards for widely accepted standards and best practices for secure development and delivery can mitigate their effectiveness and limit the economic damage they cause.
Sally Long, director of consortia services, The Open Group
Dave Lounsbury, CTO, The Open Group
The January issue of Supply Chain Digital is live!
Follow @SupplyChainD on Twitter.