Last week’s massive Internet attack against Dyn Inc. temporarily shut down some of the Internet’s biggest sites, including Twitter, Spotify, and Netflix. It also raised big questions about the state of Internet security. And according to academics and network engineers, there are no simple answers to any of them.
The attack was aimed at the Manchester, N.H.-based company’s Domain Name Service, or DNS, a network of computers that acts as the Internet’s directory service. DNS translates easy-to-remember names like bostonglobe.com into a numerical address that let our computers connect to the website.
By overwhelming Dyn with vast amounts of illicit Internet traffic, the unknown assailants halted or slowed service to dozens of other sites. A posting on Dyn’s website reported that its DNS system was operating normally as of Saturday; the company declined to comment further.
If every major DNS provider were to go down, so would the Internet. Can this vital system be made more secure?
Up to a point, said Karen Sollins, principal research scientist at the Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory.
Sollins said while there are dozens of DNS service providers, we’d be better off with many more.
“We need more copies, more resiliency to attacks,” she said. “You really want them in different places with different companies, running on different power sources.”
In addition, companies that rely on DNS services should subscribe to at least two of them, so their sites remain accessible if one goes down.
The Friday attack was also alarming because much of the traffic came not from standard computers but from the “IoT” or “Internet of things” — inexpensive electronic devices connected to the Internet, like security cameras and digital video recorders. Many of these devices are cheaply made by companies that don’t invest in securing their software against hackers.
On Monday, Hangzhou Xiongmai Technology of China, which made the electronics in many of the infected devices, said that it would recall some of its products in the United States and issue software patches for others.
Dan York, DNS security program manager for the Internet Society, an organization that sets technical standards for the global network, said that IoT device makers have no incentive to clean up their act.
“Right now there’s not much financial impact if you ship insecure software,” said York. After all, a compromised device harms not its owner but a nameless victim who may be on the other side of the world.
In an ideal world, the Internet itself would be designed to make this kind of network attack impossible. York said that Internet service providers (ISPs) could install software on their networks that would at least make such attacks less effective, by automatically blocking certain kinds of illicit traffic before it ever reached its target.
Some of the major service providers use these methods, said York, but many others do not.
Andy Ellis, chief security officer of Akamai Technologies Inc., a major network security firm in Cambridge, said we’ll never build an attack-proof network.
Instead, he wants to install a filtering device in every home that would detect attack traffic from infected household devices, and prevent it from reaching the Internet. There’s just one problem — persuading consumers to buy it.
Once again, they have little to gain from blocking hostile traffic aimed at someone else. “Until they feel the pain,” said Ellis, “where’s the market incentive?”