When a large scale, internet-affecting DDoS attack occurs, you can’t help but notice. Even if there hadn’t been attention-grabbing headlines from a slew of major news outlets, there’s a better than average chance that you were aware of the outage. You couldn’t get to your morning crossword puzzle, your fantasy team’s lineup needed some tweaks but the page wasn’t responding. The services you frequent simply weren’t reachable.
Earlier this week, Dyn was the latest victim of a coordinated, distributed attack by a swarm of compromised, internet-connected devices. This time it was the “Mirai botnet” — members of the so-called Internet of Things. IoT devices are an attractive army for delivering DDoS attacks: they’re simple computers, have network access, proliferate, and (commonly) deployed by end users with their manufacturer-supplied administrative passwords. These “Things” — usually IP cameras, network-equipped printers, home routers, DVRs — wiggle their way onto the internet; once there, they’ve got a publically routable IP and port and are sitting ducks. It’s not unusual for an IoT device to be compromised within minutes of its installation.
Compromised IoT devices have two simple missions: one, locate and infect their brethren with their malware; and two, launch an attack upon orders from Command.
Accomplishing these two missions is facilitated by the openness of the internet. The global BGP routing table, which is/creates The Internet, grants ubiquitous access to any and all comers. The same routing table that lets you reach your crossword puzzle also lets your new printer get infected from someplace in southeast Asia, before finding another printer in Europe to contaminate.
“It can’t happen to me,” you think, “my printer’s on a private network behind my home router.” Never mind the fact that your home router may also be infected; many Things use a technique called Universal Plug and Play (UPnP) to allocate a public IP:port on your home router. Boom. Globally reachable.
Okay, Plan B: let’s put in firewall rules to block “suspicious traffic” and change all your default passwords on all your Things to deter port scanning Script Kiddies. Good ideas to be sure, but your overworked, underpaid household IT staff (read: you) is going to have to spend all weekend tweaking ACLs and consulting hastily-scribbled notes when your refrigerator, toaster, DVR, bathroom scale, doorbell, et. al. need to download legitimate firmware updates.
At 128 Technology, we thought about tackling this problem in a different way. The any-to-any nature of the internet is its strength, but also its weakness. A device on your network, compromised or not, that wants to send a packet halfway around the globe relies on the internet routing table to get it there, and relies on that internet routing table to get the response back. (A route exists to get packets to your destination, and another route exists to get packets to you.) However, if we look at the network through a session-oriented lens, we can express routes differently.
Session-oriented routing lets packets travel to their destination (provided there’s a route), but a reverse route for packets to get back to the requestor does not exist until/unless that session has been initiated in an intended direction.
Let’s get back to your printer. It has access to your router’s public IP address (through UPnP) and reaches out to its manufacturer’s website to download the newest firmware package. The website dutifully sends back the requested image to your printer. This “session” was initiated by your printer, and a route exists for the printer to get anywhere it wants/needs to go. And for the duration of this session, the manufacturer’s website (and only that website) has a route to get back to your printer with the firmware image.
Once this session is over, the route from the manufacturer’s website back to your printer simply doesn’t exist anymore. Your printer is safe and sound, unreachable by Mirai bots looking for new victims — or by anyone else.
Not only does this secure your network, it makes it simpler too: define the routes you want, instead of trying to winnow the internet’s routing table down via ACLs, filters, etc. to what you need. Today. Or at least this weekend while wearing your IT hat.