Q&A: Protection from DDoS Attacks

Nov 10 2016
By B. Rose Kelly
Source Woodrow Wilson School

Twitter experienced a global distributed denial of service (DDoS) attack in October, causing the social media site to temporarily go dark. Hackers have attempted similar DDoS attacks with Hillary Clinton and President-Elect Donald Trump’s campaign websites.

What makes these attacks so alarming, and how can they be stopped? In this Q&A, Princeton University’s David Dobkin describes the details behind DDoS attacks and how consumers can better protect themselves against such cyber threats.

Dobkin, the Phillip Y. Goldman '86 Professor in Computer Science, will be a panelist at the Princeton-Fung Global Forum, “Society 3.0+: Can Liberty Survive the Digital Age?” in the session on “New Platforms of Control (or Someone to Watch over Me).”

Q. Malware named Mirai that builds botnets—networks of private computers infected with malicious software—out of Internet of Things (IoT) devices is partly responsible for the recent DDoS attack. Can you explain the details of this and how this happened?

Dobkin: In general, IoT devices do not have good security. Many people keep the factory-created passwords that are then widely knowable. Encryption is often very weak. Once a piece of malware gets access to one device on the internet, it can find its way to many and organize them into a massive botnet.

Q. The infrastructure used in the October attack was partially made up of cameras and other digital devices that connect to the internet. How did the hackers manipulate these?

Dobkin: Once devices are identified, it is possible to get them all “reporting” to a central command. This command then can launch a DDoS attack. The attack can soak up enough bandwidth to clog the bandwidth to or from a site, making it inaccessible.

Q. The October DDoS attack targeted Dyn, a large domain name server that hosts popular websites like Netflix, Twitter, Spotify and Reddit. Why are these all on the same server? Is there a safer alternative?

Dobkin: Probably not. If it hadn't been there, it would have been elsewhere or a collection of DNS servers.

Q. DDOS attacks and botnets aren’t new, but this attack was different. Can you explain why?

Dobkin: Many previous attacks have used personal computers to build a botnet. While this is hardly the first attack to use IoT devices, it does point to a new direction. These devices tend to have lower security and be more ubiquitous.

Q. Is there any way to distribute a software patch to the devices to prevent this type of attack in the future? Or is there a way to stop the attack at a higher level if the devices themselves cannot be patched?

Dobkin: This isn't strictly a matter of a software patch. I suspect that all of us have devices where we have not bothered to change the factory-installed username and password, which makes those devices at risk. If there are millions of those devices out there, this makes the problem harder. It is unfortunately a game of cops and robbers where the bad guys have a large edge.

Q. Is there anything that people can do to find out if their devices are vulnerable, and is there anything users can do to secure them?

Dobkin: Make sure that each of your devices has a non-obvious password. That would be a good start. Make sure that each of your devices has a different password. This is, of course, unpleasant but it raises your security. It is also reasonable to think about each new device you might use and whether it will add extra risk.

Q. We are seeing more devices proposed for web access from self-driving cars to delivery drones to lightbulbs and crockpots. Should we be concerned about these systems' security? What, if any, steps are being taken to secure them?

Dobkin: This is a hard question. Self-driving cars may be safer because they are sold for more money and so more effort can be expended to enhance security. That said, we’re starting to see reports about compromising lightbulbs (Phillips Hue light bulbs in particular). This particular attack, if successful, would be almost completely untraceable since the light bulbs would spread the malware based on proximity. It seems to have the ability to turn out all of the lights in a city the size of Paris.

John Sullivan from Engineering Communications assisted with this story.