I collect distributed denial of service (DDoS) stories. Part of my job is to explain to audiences and customers how a particular defensive technology can mitigate new attacks. While engineers might be drawn in by the technological talk, laymen and managers are more likely to get engaged when they are introduced to the actors in the drama.
Fortunately, the DDoS world is populated with very colorful characters, the anonymous (yet famous) patriot-hacker The Jester being a prime example. When he disrupts a Jihadist website, he tweets a “Tango Down” notification. However, The Jester doesn’t typically attack the websites of SecurityWeek readers. So even though he is fun to talk about, I’m always on the lookout for new DDoS stories relating to enterprises or service providers to add to my collection.
I recently heard about an interesting DDoS story in New Zealand involving the nude selfies of cover girl Kate Upton and Hunger Games star Jennifer Lawrence. The photos were stolen from Apple’s iCloud service. The story seemed like the perfect, illustrative fable about everything that is wrong with Internet security today. It had all the classic buzzwords: cloud security, malware, DDoS, Apple, 4chan, and lazy, lustful Internet users.
But while parts of the story were true, others…not so much. The original story went like this:
1. Attackers breached the security of Apple’s iCloud services and exfiltrated the personal data of dozens of celebrities, including nude photos of Kate Upton, Jennifer Lawrence, and others.
2. They posted the photos to the 4chan message board and called the event “The Fappening.” The 4chan photos were quickly taken down but had already spread to lesser-known sites.
3. Public demand to see the photos was so high that millions of people turned off the SafeSearch features of their browsers and went looking for the photos.
4. Malicious sites used the photos as bait to get people to download free “image viewers” for their PCs and iPads. These programs were actually malware.
5. The malware then launched a distributed denial of service attack that disrupted service across New Zealand’s major Internet service providers.
I happened to be on my way to New Zealand when the story broke, so when I arrived there I met with representatives of the ISPs, and they gave me the real story behind the DDoS attacks.
The first third of the story is more or less true; the personal data of the celebrities was indeed ex-filtrated from iCloud. Apple claims that it was due to the weak iCloud passwords used by the celebs themselves, but that explanation is just semantics. If you read an EULA carefully (many of them 25 pages or more), you will find that you personally are responsible for the security of your data in the cloud. That’s the state of cloud security today. The middle part of the story is true as well: nearly every site hosting the celebrity photos was also hosting some kind of malware.
The last part is where the story goes off track. While there was an ISP outage in New Zealand in the days after the iCloud breach, the two events were not correlated. The ISP outage was caused by a more arcane (and therefore less sexy) security issue: bring your own modem (BYOM). As in the U.S., in New Zealand, some customers are allowed to bring their own cable modems (often from their previous service provider) when they sign up for Internet service. Approximately 5-10,000 customers had brought with them an old cable modem that was susceptible to a recently found vulnerability.
The cable modems could easily be reset to factory settings, whereupon they offered an open name resolving service on their external interfaces. The devices were then coaxed into participating in a DNS amplification attack. DNS amplification attacks have become a critical problem across the Internet in the last 18 months. They are very easy to trigger and can cause massive disruption. Several of the largest DDoS attacks in the last two years have been DNS amplification attacks. The Open Resolver project tracks millions of devices that are vulnerable to this exploitation.
It is very difficult to trace the origin of DNS amplification attacks. In this case, the perpetrators of the attack were never identified. Even more interestingly, beyond knowing that the target addresses were somewhere in Eastern Europe, the victims of the attack were never identified, either.
No one patches their cable modems (honestly, I have no idea how to do that, and I’m a network security professional), so it took days for the service providers to track down enough of these customers to unclog the networks.
In a way, it’s strange that an unknown party would leverage thousands of cable modems in New Zealand to attack another unknown party in Eastern Europe, but honestly, this is the kind of thing that goes on all the time across the Internet these days. Someone sneezes in Auckland and someone in Poland catches a cold.
Ultimately, it turned out to be sheer coincidence that the attack happened in the days just after the iCloud breach. The media was so taken with the idea that Kate Upton nude photos had caused a DDoS attack that they just took the story and ran with it. It’s not difficult to understand why; it is basically a modern fable of Helen of Troy, whose face launched a thousand ships in the Peloponnesian war. But this is the “boobs that launched a thousand bots.”
So, as far as DDoS stories go, this was a pretty good one. Even if it wasn’t entirely true the way it was presented. If there is a teachable moment in any of this, perhaps it is to pose this question: what kind of infrastructure have we built that allows a private skirmish between unknown parties to disable Internet access for large segments of an entire country?