SciTech

DDoS attack noticeably compromises mainstream websites

Credit: Isabelle Vincent/ Credit: Isabelle Vincent/ Credit: Isabelle Vincent/ Credit: Isabelle Vincent/ Credit: Isabelle Vincent/ Credit: Isabelle Vincent/

Last week, a wide scale Distributed Denial of Service (DDoS) attack struck the internet, shutting down major websites such as Twitter for small, yet noticeable, periods of time.

The DDoS attack was aimed at Dyn, an internet infrastructure company based in New Hampshire. Dyn is a Doman Name System (DNS) services company. The incident took place in the form of three repeated attacks in one day, which flooded Dyn’s internet directory servers with malicious requests from millions from servers. These attacks lead to internet disruptions over the East coast and some parts of the West coast. In an article on the popular technology magazine Wired, Dyn described the attack as “very sophisticated and complex.”

A DDoS attack is characteristically simple; it involves simply overwhelming a server with requests, much like blocking an entrance to a building by sending too many people through the door at once. Usually, large companies with formidable firewalls can prevent such simple raids.
Thus, DDoS attacks are effective because they attack channels of communication such as routers and servers as opposed to attacking a single website.

Yet, the fact that a DDoS attack successfully disrupted so many mainstream websites raises concerns regarding the safety of the internet. If such a simple attack — when executed artfully — can shut down major websites, how much damage could a more sophisticated hack cause? Consequently, how should we conduct ourselves online when web security protocols are vulnerable to the most forceful of breaches?

Furthermore, the recent attacks on Dyn have been reported to be of a class of DDoS that infects objects on the IoT (Internet of Things). Thus, as the world begins to move towards greater IoT connectivity, it becomes harder to monitor what information we put out over the internet.

The current design of the internet may be inherently insecure, as the web was not built with air-tight security in mind. Perhaps the only way to be safe is to take security into your own hands, and not to rely on the security provided by others to protect you. Also, fully securing the internet may be detrimental to one of the most critical functions of the web: increasing our freedom to information. The security vs. freedom tradeoff is an old debate, but perhaps it is no more prevalent than when considering the consequences of a “100 percent hack free” net. For example, a fully secure internet would require some sort of authority to decide what may be allowed and what is not.

Is this truly what we desire the internet to be? Access to boundless information may, by its very nature, give others endless access to our own information. Technology may not be the ideal solution to internet vulnerabilities. We may have a social problem, rather than a scientific one. If individuals do not take responsibility into their own hands, technologically securing online interaction without sacrificing freedom of information may be futile. In this sense, internet security can be considered a social engineering problem. We must teach people how to be vigilant online, and how to protect their information. These practices can be very simple, such as not opening emails from unknown senders with hundreds of recipients. Yet, many of these protocols are far from common sense. Furthermore, online resources could be designed to ease the process of securing one’s data.

Nonetheless, even if these procedures are widely adopted, it is still naive to assume our information would be impenetrable. How should our government communicate critical and confidential information, which could have catastrophic repercussions if leaked?

The recent email scandal involving Hillary Clinton only underscores the tremendous vulnerabilities in networked systems. Linking servers together on isolated networks, not unlike the “ARPANET,” is most likely the solution our government currently implements.

Yet even these networks are vulnerable, though it is perhaps a step in the right direction. Asking our leaders to fully isolate their information to non-networked devices could simply be too infeasible for realistic implementation, and we must accept that there is a small, but certainly present, chance that our country’s most crucial security can be stolen. A solution may lie within the benevolence of major software corporations. For example, Google will alert users if it appears that their computer has become a “zombie,” i.e. a computer that has been maliciously hijacked to execute attacks such as DDoS on other systems. In this sense, the future may belong to “white-hat hackers:” an almost priest-like group of individuals who bestow knowledge of technological security unto the masses, and who alert the populace when cyber evils are present. Due to the complexity of internet security, we may have no choice but to surrender our freedoms to these “anointed” individuals.

But such a future is far from optimal and will be resisted by those who wish to understand and maintain their security privately. Like many topics discussed at Pugwash, the solution may lie within society, and not technology. If we wish to live our online lives protected from malicious intents, without heavily relying on external sources of knowledge for our every transaction, we must educate individuals on all relevant matters of online security. It may also help if we refrained from opening emails sent by Nigerian Princes, no matter the potential monetary reward.

Student Pugwash is a non-advocacy, educational organization that discusses the implications of science. This article is a summary of last week’s discussion on the DDoS attack.