And It’s Going to Happen Again.

Last week the Internet experienced the largest cyber attack in history. Many popular websites went offline for the better part of a day as three waves of cyber attacks hit the DNS infrastructure company DynDNS.

But how could an attack on a single infrastructure company wreak such havoc across the entire Internet?

Because DynDNS is a service that provides Domain Name System (DNS) translation services for many popular websites like Twitter, Paypal, Reddit, Netflix (Netflix? What kind of monster tries to take down Netflix?), GitHub, and others.

What is Domain Name System translation? DNS translates machine-readable IP addresses like 216.58.217.206 into human-readable URLs like www.Opto22.com. So when you surf the Internet you can easily remember a catchy URL like snappacsareawesome.com instead of some lengthy set of cryptic numbers. You type in the catchy URL, and DynDNS or another service translates that into the IP address, which delivers the webpage you want. No translation, no webpage.

But what caused the attack?

The Internet Reserves the Right to Refuse Service

Have you ever felt overwhelmed when too many people are asking you questions about something at the same time? The same thing can happen to our Internet devices. The Dyn attack was caused by something called a Distributed Denial of Service Attack or DDoS (pronounced Dee-Dos). DDoS attacks work by sending so many requests to a site or service that it struggles to service those requests and eventually goes down or becomes impossibly slow under the weight of them all.

DDoS attacks have been around for years, but they’ve gotten a lot worse recently. A big driver is the growth of the Internet of Things (IoT). In simple terms, there are now billions of Internet-connected devices that attackers can hijack and organize into something called a botnet.

A botnet is a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, for example, to send spam messages. Today’s IoT devices—such as security cameras, in-home Internet routers, DVRs—are effectively computers, except with a lot less security in many cases, which makes the attacker’s job of building botnets easier than ever. During the attack on Dyn, network traffic spiked to 40-50 times higher than normal.

The modern botnet is one of the most powerful attack techniques available to today’s cybercriminal. Because of their sheer size and the difficulty involved in detecting them, botnets can operate under the radar for long periods of time. As an example, the Zeus botnet operated for over three years in this fashion, netting the perpetrators an estimated $70 million in stolen funds before the FBI arrested over 100 individuals in 2010.

Open-source Malware

To make matters worse, the source code for the malware (malicious software) used to carry out the attack on Dyn, called the Mirai BotNet, was recently published on the open-source software repository site GitHub.com. This means anyone can download the malicious code and modify it to suit their criminal needs.

So how does one defend against this type of attack and keep their automation assets safe?

Basic Cyber Security

This is not an exhaustive list, but here are some steps you can take to secure your network and automation systems:

• Stay up to date with software patches on all of your devices. Software patches and updates include bug fixes, and software bugs are what hackers use to crack into your systems and networks.
• Patching is key to security. If you’re running your HMI software on a Windows operating system that is no longer supported by Microsoft (meaning you no longer receive software updates)—Houston, we have a problem.
• Change the default username and password on all of your devices—servers, routers, computers, phones, tablets, baby monitors, security systems, anything that’s Internet-enabled. Don’t use simple, easily guessed passwords. Use a passphrase. Read more about passwords and passphrases.
• Run a port scan on all of your systems to identify potential attack vectors through open and unused TCP/UDP ports and services. Don’t know what a port scan is? Read about port scans.
• Monitor your automation network traffic for IRC traffic. IRC is Internet Relay Chat, a common communication method used by cybercriminals and malicious software. The default port number ranges for IRC traffic are 6660-6669 and 7000. Need to learn about network traffic monitoring? Download the free network analysis tool Wireshark and start playing around with it.
• Don’t use insecure data communication paths. Always use encrypted and authenticated methods of moving data around your network.
• Install a firewall and intrusion detection system.

Security In Opto 22 Products

At Opto 22 we understand the importance of building security into a product from the very beginning.

Our groov Box (the easy-to-use tool to build and view mobile operator interfaces for automation applications) requires you to change the default username and password before you can even start using it.

All communications between groov and devices that use a groov mobile operator interface are encrypted and require authentication.

groov owners should be careful with user credentials and make sure their people who use the groov interface understand and pay attention to security issues.

It’s also a good idea to segment automation systems and sensitive pieces of equipment from the general network. One way is to use the separate Ethernet network interfaces on your groov Box or SNAP PAC controller.

A few more resources:

• Here's more info on groov security.
• The Guide to Networking groov includes the basics of setting up networks and defines networking terms.
• If you’re interested in learning more about securing mobile devices in automation applications, check out our Using Off-the-Shelf Mobile Devices white paper.

If you have questions on network security or how to protect your automation assets from cyber attack, we can help. Contact one of our engineers for free assistance.