Dyn DDoS Attack Highlights 'Dark Side' of Tech-Dependent Society

Nineteen months ago, the New Hampshire state website experienced the same kind of attack as the one that hit the Manchester company.

by Shawne K. Wickham / October 24, 2016

(TNS) -- When Denis Goulet heard about the cyberattack on Dyn Friday morning, the first thing he did was log onto the state website to make sure it was up and running. It was.

Goulet is commissioner and CIO for the state Department of Information Technology. Nineteen months ago, the state's nh.gov website experienced the same kind of attack as the one that hit the Manchester company.

"They were essentially targeting state governments," he said. "So a lot of states got their websites taken down."

This kind of cyberattack -- called a distributed denial-of-service or DDoS -- isn't about stealing data, Goulet said. "It's an annoyance, basically," he said.

He likens it to the tactic labor activists in France used to clog highways by lining up slow-moving trucks across all lanes of traffic.

"The perpetrators of the DDOS attack try to generate enough activity focused on their victims such that it's keeping the system so nothing else can happen," Goulet explained. "Or other things can happen, but they happen extremely slowly -- so slowly it's not useful."

James Ramsay is the coordinator of the new Homeland Security program at the University of New Hampshire and a professor of security studies. He said these kinds of attacks reflect the "dark side" of our technology-dependent society.

"This is the 'advanced persistent threat' that we refer to in the world of cyber security," he said. "This is a vulnerabilty that a society has that has become addicted to, and absolutely dependent on, digital communications, digital assets, digital identities."

Ramsay is philosophical about it. "The bottom line for me and you is that it's an inconvenient component to real life," he said. "It doesn't mean the internet is crashing. It doesn't mean that anyone's invading us.

"It means that this is yet another in a long series of examples ... of people just doing bad things because they want to. They may not even have a real agenda."

To Ramsay, it's clear that those behind the Dyn attack were professionals: "because Dyn is a world-class organization, and they're not easy to hit, and the attack was large."

A DDoS attack is a very common way for so-called "hacktivists" or "cyber warriors" from hostile organizations or governments to make a point, he said, "and to literally flood servers with so much information that they can't do their jobs."

He likens it to "putting 10 pounds of garbage in a 5-pound bag; it can't be done."

And as a major domain name system (DNS) service provider ("that's basically the phone book," Ramsay explains), Dyn is an attractive target, he said.

"At the end of the day, it's going to take some real forensic investigation on the part of Dyn, probably the FBI, and maybe even other players that we'll never know, to look at the threat vectors and how they broke in, and the kinds of vulnerabilities that were exploited," he said.

The DDoS attack on the state website in March, 2015, lasted a couple of hours, Goulet said. "It caused enough traffic on the internet that you couldn't access our website."

Such an attack doesn't just affect the targeted site, he explained; it slows traffic for lots of others as well. So in response, Goulet contacted the state's internet provider, which stopped accepting traffic targeted at nh.gov - "which immediately helped everybody but us."

Goulet said the attack ended fairly quickly. And after that incident, the state IT department strengthened its capabilities. But he said it's difficult to protect against future DDoS attacks.

It's like anti-virus programs you have on your home computer, he said: "They'll protect you against any virus we already know about, but it's not going to protect you against the new ones they created specifically to circumvent those protections."

Investigators may learn who attacked Dyn, Goulet said. A hacker group calling itself Vikingdom took credit for the DDoS attacks on New Hampshire and other government entities in 2015.

"There was no purpose to it," Goulet said. "They weren't trying to steal information, just showing that they could, basically."

Indeed, Vikingdom2015 posted this message online back then: "We will knock all American governments' websites offline. We do not care if we get caught. We all like doing this."

But such attacks could have more malicious purposes, Goulet said, such as bringing down services that are critical.

There are "bad actors," he said, "who actually want to have some influence, whether it's economic or political or both."

And he said, "Those are the more scary actors, because they do have a purpose that's more nefarious than just an annoyance."

Goulet wouldn't speculate on whether the Dyn attack could have been carried out by a foreign government. "But we do know that foreign governments are involved in cyber activities for their own purposes," he said. "And they spend significant resources doing so."

Ramsay compares it to a kind of Cold War, "in the sense that people aren't really declaring a war but we're actually making people lose money, we're interrupting services, and people's lives could be put at risk sometimes, if you interrupt services for airplanes or for ambulances or stop-and-go lights in a big city."

The state Department of Information Technology homepage notes that October is National Cybersecurity Awareness Month.

And what happened to Dyn is a timely reminder for New Hampshire consumers, Commissioner Goulet said.

"Dyn spent a lot of money and effort to protect their network, and they were still victimized," he said. "So it shows us that we need to be continuously vigilant."

Among state chief information officers, Goulet said cybersecurity typically ranks in the top three issues of concern. "It's a big deal for us," he said. "We think about it every day."

Does he ever lose sleep over it? "Yes," he said with a laugh.

But he added, "If we're losing sleep, it's often not theoretical sleep; it's practical sleep, where we're managing something in the middle of the night."

Ramsay said for experts, the real challenge is making sure businesses and governments are resilient in the face of such cyber attacks.

At the end of the day, he said, "This shows you the quality of a company like Dyn, where they can experience it, they can send out a communique, they can get it back up and running, and all these people experiencing service outages are no worse for the wear just after lunchtime," he said.

©2016 The New Hampshire Union Leader (Manchester, N.H.) Distributed by Tribune Content Agency, LLC.