The popular right-leaning web portal, The Drudge Report, was briefly knocked offline last week. Incidents like this will only become more common until policymakers or tech companies get serious about fixing connected gadgets, also known as the internet of things (IoT).
In a since deleted post, the site’s verified @DRUDGE account on Twitter posted last week, “Is the US government attacking DRUDGE REPORT? Biggest DDoS since site’s inception. VERY suspicious routing [and timing],” as the International Business Times reported.
The Drudge Report did not respond to a request Friday for more details about the suspicious timing and routing.
Traffic from the Drudge Report is gigantic. Similar Web estimated it saw 178 million visits in November and that almost 80 percent of that traffic was direct. In other words, rather than clicking over from Facebook or finding it in search, visitors typed the URL directly into their browser or they have it set as the page their browser opens upon launch.
The importance of Drudge to other publishers cannot be overstated. In addition to its ability to point a firehose of traffic toward other sites, the careful curation of its founder, Matt Drudge, acts as something of a seal of approval for sites seeking the approbation of one of the very few people in American media capable of single-handedly driving the national conversation.
For those who haven’t visited, the site is overwhelmingly devoted to links to other sites. Web analytics platform Parse.ly currently estimates that 0.7 percent of all referral traffic to sites it monitors come from Drudge. That’s three times more than Reddit, just 0.1 percent behind Google News.
What is a DDoS attack?
The term has been thrown around so much lately that people may be reading it without knowing what it is. Often referred to as a “hack,” that’s somewhat debatable. Some might argue that a DDoS attack is no more a hack than kicking a door down is picking a lock.
DDoS refers to “distributed denial of service.” It overwhelms a site (or network node) with traffic from multiple sources. So much traffic that the site becomes unavailable to legitimate visitors, but a DDoS attack does nothing to the site itself (besides potentially running through its hosting budget). Once a DDoS attack is over, the site is there, same as ever, undamaged.
Bruce Schneier described a DDoS attack in real world terms this way: imagine a bunch of people called every delivery service in town at once and asked them all to deliver something to your house. Your house is fine, but no one can get to it because the roads around it are clogged.
In that sense, DDoS attacks don’t really “hack” the target site. There’s a lot of ways to construct a DDoS system, though, and that’s where the cleverness comes into play.
These days, DDoS systems do rely on hacking their weapons, which are compromised devices connected to the internet (such as routers, printers, TVs and etc). Ironically, security cameras are probably the most dangerous. Consumers buy smart home gadgets, never change the factory username and password and that leaves them vulnerable to remote access by criminal software.
The software finds these devices, puts some code on them and then directs them to send requests to specific IP addresses when an attack is on. The user of the device probably won’t notice. A request from any one device wouldn’t be enough to impact a site, either, but when it gets multiplied into the hundreds of thousands it can be enough to shut a site down.
This method is called a “botnet.” Your baby monitor or smart refrigerator could be contributing to botnet attacks and you would have no idea.
We previously reported on three strategies for beating botnets.
Who hit the Drudge Report?
This is basically an impossible question to answer, such is the aggravating nature of a distributed attack. Hackers make attributing the attacker more difficult by open sourcing their software. The Mirai botnet, for example, which took the internet infrastructure service Dyn offline in October, is open source. Setting up a botnet is not trivial, but the code’s availability means there is more than a few adversaries out there who can use the software.
The attack on the site appears to have been short based on the reporting. IB Times wrote that it started around 7 PM. The Washington Times checked at 8:30 PM and it was back up, so it couldn’t have been longer than 90 minutes.
“There are DDoS for hire sites that will launch hundreds of gigabits of attack traffic at a site and charge on a per-minute basis,” Matthew Prince, the CEO of Cloudflare, a company that helps sites mitigate against DDoS attacks, wrote in an email. “The cost of these services is relatively low, likely well less than $1,000 for a 90-minute attack.” The Drudge Report is not a Cloudflare customer.
If we did know more about the nature of the attack, the sophistication of the adversary could indicate something about its identity.
“The number of actors who can perpetrate the most advanced attacks are still fairly limited,” Andy Yen, co-founder of Protonmail, told the Observer in an email. “Generally, the sophistication of the attack is a good indicator, for example, what are the attack vectors, how many networking points are being hit simultaneously, and how quickly the attackers are able to counteract defensive measures.”
Protonmail provides encrypted email services. It’s unspyable communication system has put a target on its back. In 2015, it got hit by a two-for-one DDoS attack, as the Observer reported. Yen explained that the company knew the larger of the two hits was bad when it became clear that its attackers were hitting multiple European nodes in order to make it more difficult for the service to route traffic around it. That kind of sophistication indicated that it was attributable to something more sophisticated than a cyber gang, perhaps even a nation-state.
Will DDoS attacks get worse?
It looks that way, but not everyone agrees.
Verisign just released a report that said that the number of attacks have been going down, even as their size had increased. Verisign customers saw vastly larger attacks this year over last, but the attacks have also shrunk as the year went on. The report only goes through the third quarter of last year, falling just short of the time period that included the epic attacks on Krebs and Dyn; however, Verisign did observe a record setting attack on one of its customers during that time period.
There’s little market incentive to fix the problem, as Schneier explained on his blog. A consumer buys a connected nanny cam. He checks it on his phone every now and then. It seems to work. He’s happy. Its manufacturer has already been paid. It’s happy. Meanwhile, it’s sending out one of millions of pings to some site under attack. The victim of the attack was not involved in this transaction at all.
More cybercriminals get into the DDoS as a Service business every day, while governments and hardware makers dawdle. The Merkle reports that the line of business is only becoming more profitable. In fact, veterans are making money not by running attacks but by getting paid by other attackers to help them get started.
With the Mirai source code open sourced and its effectiveness proven, more people looking for a quick buck are getting into it. With more players in the market, the price will go down. Pros will start modifying the Mirai and other code bases and it will evolve. In fact, Imperva has already detected a new 650Gbps botnet cannon whose signature differs from Mirai.
As Brian Krebs (whose site got hit by its own giant attack last year) has reported, many IoT devices have started requiring changing the default password upon setup. That’s all well and good, but people are bad at choosing passwords. Look for the next iteration of Mirai try the top 1000 most commonly used passwords. Eventually, they could use AI to guess passwords.
Also, new products don’t address old devices that users may not even remember are connected to the internet. How many thousands of small businesses have routers and printers that they haven’t really thought about for years and definitely don’t have time to think about today?
What can I do?
Not much, but this wouldn’t hurt: figure out how to get into the administrative side of every device you have connected to the internet. Turn it off. Unplug it. Turn it back on, log into the back end and change the password to something weird.
Letting your elected leaders know that you’d like to see laws and regulations that require makers of connected devices to protect the internet wouldn’t hurt, either.