On October 21st, customers of Dyn, a Domain Name System (DNS)-services provider, were targeted by a massive Distributed Denial of Service (DDoS) attack. DNS is an essential component of Internet services since it transcribes websites into numerical addresses enabling their location and identification between computer services and devices. DDoS attacks hamper this process by flooding the servers with an important level of Internet traffic, overwhelming the website and thus disabling it. In this particular case, it affected popular American companies including Twitter, Paypal, Spotify, Airbnb, CNN, the New York Times, the Wall Street Journal, Yelp and Amazon, and rendered their websites inaccessible for several hours. The first wave of the attack hit customers on the East Coast and later two additional waves of DDoS attacks helped spread the problem to the West Coast and Western Europe.
In this attack, hackers used millions of smart devices’ Internet protocols (IPs), which had previously been infected with a malicious code, in this case, Mirai. These internet-connected devices form part of what experts called the “Internet of Things” (IoT). Mirai is a botnet whose source code was recently released by its creator. Mirai scans the IoT for devices protected by default passwords and which are easily compromised and infected. Once such a device is infected, its IP can be used to target a specific website or DNS.
One of the major outcome of this attack is related to the fact that the Chinese manufactures Xiongmai Technology Co Ltd. is the producer of cameras components which have been identified as one of the main sources of the junk internet traffic. As a consequence, the company has recalled over 4 million of its internet-connected cameras, which were sold in its name. Nevertheless, it is estimated that about 95% of Xiongmai’s products are sold by retailers who use Xiongmai components in their own products. Thus, the large majority of the company’s flawed devices are still operating.
Why is it an issue for the freedom of press?
The October 21st attack is not the first of its kind. Newsweek and the BBC have both faced DDoS attacks. Furthermore, on September 20, Brian Krebs, an American journalist specialized on cybersecurity issues, who often reports on hackers, was targeted by the largest DDoS attack to date at a rate of 600 to 700 billion bits per second – almost half a percent of Internet’s entire capacity. According to Krebs, some signs indicate that the attack may have been undertaken in retaliation to his series of articles on the takedown of the DDoS-for-hire service called vDOS, which led to the arrest of two men. Cybercriminals, using DDoS attacks, have the power to severely impede the work of all journalists thus threatening the freedom of the press everywhere.
The paradox is that the incredibly dangerous DDoS attacks are quite inexpensive to conduct, although preventing them remains absurdly expensive. Before the offensive on Krebs, a firm named Akamai provided him with a free online protection service but in the face of the size of the DDoS strike, it had to throw in the towel and, with his consent, it temporarily shut down Krebs’ website until a better alternative could be arranged. Dyn similarly struggled to stem the attack. Kyle York, Dyn’s chief strategy officer, stated that the number, types, duration and complexity of recent DDoS attacks are on the rise, weakening current prevention methods.
Notably, Mirai offensives have recently been using traffic-routing services – such as Google’s Alphabet Inc – to make it impossible for companies to isolate the junk traffic from that of legitimate customers’. This trend will worsen. Indeed, the breadth of IoT devices has reached unprecedented levels. In two years, the number of such appliances has increased by 70% to reach a total of 6.4 billion. By 2020, some forecast that IoT gear will reach 20.8 billion. Krebs stated that it is “likely that we can expect such monster attacks to soon become the new norm.”
How can we prevent it?
Fortunately, a few innovative solutions have managed to circumvent the menace that DDoS attacks represent. Google has created Project Shield, which is designed to protect independent journalists from censorship by providing them with state-of-the-art server protection. It has so far been able to help Rafael Marquest de Morais, a reporter on corruption in Angola, and El Ciudadano, a Chilean newspaper involved in the promotion of socio-political reforms. Today, it also protects Mr Krebs too, even though attacks against him persist.
As it is often the case, creativity springs from constraint. Similarly, the media industry may have to resort to systems invented by citizens living in highly-censored or developing countries.
For instance, in Cuba, one of the countries with the lowest internet penetration in the world (less than 5% of the total population), some entrepreneurs have come up with the “Paquete Semanal” (or Weekly Package), which is a hard-drive containing movies, TV shows, magazines and applications, previously transferred by a person with high-speed internet and then sold to Cubans with low or no internet connection.
In the same way, in Hong Kong, an app called FireChat provides Bluetooth connected chatrooms, enabling anyone in close proximity to exchange ‘off-the-grid’ messages, to protesters who wish to circumvent government censorship and retaliation.
Whatever alternatives journalists and citizens choose, the danger of DDoS attacks remains real. The international community urgently needs to address this issue. Not only should it strengthen initiatives that protect the freedom of the press, such as Google’s Project Shield, it should also enforce stronger standards for firms producing IoT devices as well as stricter sentences against cybercriminals.