{"id":35087,"date":"2016-10-25T06:00:34","date_gmt":"2016-10-25T10:00:34","guid":{"rendered":"http:\/\/www.shamusyoung.com\/twentysidedtale\/?p=35087"},"modified":"2016-10-25T00:50:44","modified_gmt":"2016-10-25T04:50:44","slug":"reset-button-ddos-dns-hack","status":"publish","type":"post","link":"https:\/\/www.shamusyoung.com\/twentysidedtale\/?p=35087","title":{"rendered":"Reset Button: DDos DNS Hack"},"content":{"rendered":"<p><em>I have posted <a href=\"https:\/\/www.youtube.com\/watch?v=d2LEe-F47eU\">a new Reset Button video<\/a> discussing <a href=\"http:\/\/www.cnbc.com\/2016\/10\/21\/major-websites-across-east-coast-knocked-out-in-apparent-ddos-attack.html\">the recent &#8220;hack&#8221; that caused the internet to malfunction last week<\/a>. In my video, I show footage of a CNN interview where the anchor asks an expert if the DDos attack was a &#8220;hack&#8221;. That video originally appeared at previous link above, but has since been replaced with a more up-to-date video.<\/p>\n<p>In any case, here&#8217;s the Reset Button, followed by the script for all you non-video-watching types:<\/em><\/p>\n<p><table class='nomargin' cellspacing='0' width='100%' cellpadding='0' align='center' border='0'><tr><td><iframe loading=\"lazy\" width=\"1024\" height=\"576\" src=\"https:\/\/www.youtube.com\/embed\/d2LEe-F47eU\" frameborder=\"0\" allowfullscreen class=\"embed\"><\/iframe><br\/><small><a href='http:\/\/www.youtube.com\/watch?v=d2LEe-F47eU'>Link (YouTube)<\/a><\/small><\/td><\/tr><\/table><\/p>\n<p><!--more-->Last week <a href=\"http:\/\/www.cnbc.com\/2016\/10\/21\/major-websites-across-east-coast-knocked-out-in-apparent-ddos-attack.html\">the internet went down for millions of users on the East Coast of the United States<\/a>. <\/p>\n<p>And so people wanted to know&#8230;<\/p>\n<p>&#8220;Was it a hack?&#8221;<\/p>\n<p>Was it a hack? The answer to this question is tricky. Yes, it was a hack, but not in the way most people understand them. It was a DDos DNS attack, and if you don&#8217;t know what that means then I don&#8217;t blame you. It&#8217;s two different acronyms mashed together. Two different acronyms of technical jargon that &#8211; even if you knew what they meant &#8211; wouldn&#8217;t really give you a an understanding of what this problem was or what caused it.<\/p>\n<p>CNN&#8217;s expert did what he could could answer the question, but the segment was barely a minute long and that&#8217;s not enough time to really understand this problem. Sorry. Sometimes if you ask complicated questions you get complicated answers that don&#8217;t fit inside of handy soundbites. But if you want to learn what this attack was and who got hacked, then here&#8217;s a simple explanation in layperson&#8217;s terms.<\/p>\n<h3>What is a DNS DDos?<\/h3>\n<p>Just like every active telephone has a phone number associated with it, every computer system on the internet has a number. These numbers are how computers identify each other. This number is called an IP address.<\/p>\n<p>Way back in the early days of the internet &#8211; and I mean REALLY early, like before it was even called the internet &#8211; that was all we had. If you wanted to connect with a particular computer, you had to know what its IP address was. And that&#8217;s fine. If there are only a dozen computers connected you can just memorize them. But once you&#8217;ve got dozens or hundreds of servers, then you need something better.<\/p>\n<p>So we invented the domain name. Instead of memorizing this arbitrary number, you just type Facebook.com. Or Reddit.com. Or shamusyoung.com. Whatever. <\/p>\n<p>Then I hear you say, &#8220;Hang on a minute Shamus. There are literally billions of sites on the internet. My little computer can&#8217;t possibly know the IP address for every one of them.&#8221;<\/p>\n<p>Right you are, it can&#8217;t. For that we need a special kind of server called a domain name server, or DNS. This is a computer that helps your computer get those all-important numbers of the sites you&#8217;re trying to visit. So you type reddit.com, your computer asks the DNS for the IP address of Reddit.com. Then the DNS replies. Then your computer can contact Reddit. It happens in the blink of an eye, so most people aren&#8217;t even aware this is going on.<\/p>\n<p>If you&#8217;re old enough to remember the days when you&#8217;d use your rotary telephone to call for directory assistance, and then you&#8217;d give the operator a name and she&#8217;d give you the phone number of the person you were looking for, then this is the same idea. If you&#8217;re too young to remember it in those terms, then think of it like I dunno, space magic or something.<\/p>\n<p>So what happens is you type facebook.com into your web browser, and then your computer sends a message to your DNS and asks for the number for Facebook. The DNS replies with the proper IP address. Then your computer contacts the Facebook server and you can check on all those friend requests and birthday announcements and cat pictures you&#8217;ve got waiting for you.<\/p>\n<p>So now you&#8217;re thinking, ah! So the DNS got hacked, I get it.<\/p>\n<p>Except no. The hackers never took control of the DNS. To understand what they did, we need to understand the other half of this attack&#8230;<\/p>\n<h3>DDos<\/h3>\n<p>This was a Distributed Denial Of Service attack. DDos for short. How it works is this:<\/p>\n<p>Say someone is surfing the internet. Maybe it&#8217;s uncle Eddie, who&#8217;s really technically ignorant. Or maybe it&#8217;s aunt Edna, who&#8217;s way too trusting. Or maybe it&#8217;s little Timmy, who&#8217;s getting to the seedy parts of the internet where he doesn&#8217;t belong. <\/p>\n<p>In any case, this user clicks on something they really shouldn&#8217;t. A website offers to give them free money, or help them meet sexy ladies, or to clean all the &#8220;viruses&#8221; off their computer, and all they have to do is download a little program. Which is, of course, a virus. (Actually it would be better called malware in this context, but we&#8217;re trying to keep things simple, so let&#8217;s just stick with virus.)<\/p>\n<p>Maybe you&#8217;ve had something like this on your computer before. Maybe it buried you in ads, slowed down your computer, deleted your files, or tried to steal your credit card information. But the kind of virus we&#8217;re talking about today is a little different. Once installed, it doesn&#8217;t seem to do anything. You&#8217;ll probably have no idea you&#8217;ve messed up. Your computer works exactly like before. Assuming the author of the virus did their job, there won&#8217;t be any suspicious windows. No slowdowns. No scary warnings. <\/p>\n<p>Instead, the hacked computer is now quietly, in the background, communicating with a server run by a hacker. The computer will occasionally ask the server, &#8220;Hey boss, you want me to do anything?&#8221; and the server will usually reply, &#8220;Nope. You&#8217;re fine.&#8221;<\/p>\n<p>But sometimes the server will reply with an order like, &#8220;I want you to go and overwhelm Facebook.com&#8221;. And so the computer will begin pelt Facebook with meaningless requests. It doesn&#8217;t even care about the answer. The only goal is to keep Facebook busy so it can&#8217;t serve anyone else. It&#8217;s like calling someone over and over again and then hanging up, just so that if anyone else tries to call they just get a busy signal.<\/p>\n<p>Next I hear you say, &#8220;But Shamus. What can a single personal computer do to a mighty website like Facebook?&#8221;<\/p>\n<p>And you&#8217;re right. One single hacked computer is harmless. But what if there were thousands of them, all under the command of a single hacker? If the hacker tells all of the computers to flood one website at the same time, then they might, through their combined efforts, be enough to overwhelm it. <\/p>\n<p>This network of hacked computers is called a Botnet, and one of its hacked computers is called a bot. <\/p>\n<p>So to sum up: A hacker tricks thousands of people into downloading malicious software, which turns their computers into mindless slaves that combine to form a botnet, and then the hacker orders them all to overwhelm a single server to make the server unable to operate normally.<\/p>\n<p>But!<\/p>\n<p>Some sites are too big to be attacked directly in this way. Things like Facebook and Google and Reddit have massive server infrastructure that can shrug off the typical botnet and keep going. Which brings us back to the kind of attack we saw last week: A DNS DDos attack. <\/p>\n<p>Instead of attacking a giant like Amazon.com or Google, the hacker can have the bots attack that DNS we talked about earlier. Those machines aren&#8217;t generally equipped to deal with enormous traffic loads because their job, while important, is pretty lightweight. <\/p>\n<p>So if you were one of the millions of people affected by this hack, then YOUR computer was working fine, and FACEBOOK was fine, but your computer could no longer reach the DNS to find out how to reach Facebook.<\/p>\n<p>So to return to the original question:<\/p>\n<p>&#8220;Was it a hack?&#8221;<\/p>\n<p><strong>You<\/strong> weren&#8217;t hacked. The <strong>website<\/strong> you were trying to reach wasn&#8217;t hacked. The <strong>DNS<\/strong> wasn&#8217;t hacked, although it was attacked by flooding it with traffic. The people who were hacked were the tens of thousands of clueless users who failed to properly secure their computers. And these people probably have no idea they&#8217;re the source of the problem, even though their compromised machines pose a threat to the security and stability of the internet.<\/p>\n<p>So now you know what a DNS DDos attack is. How do we fight them and how do we protect against them? That&#8217;s a video for another time.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have posted a new Reset Button video discussing the recent &#8220;hack&#8221; that caused the internet to malfunction last week. In my video, I show footage of a CNN interview where the anchor asks an expert if the DDos attack was a &#8220;hack&#8221;. That video originally appeared at previous link above, but has since been [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[102],"tags":[],"class_list":["post-35087","post","type-post","status-publish","format-standard","hentry","category-weekly-column"],"_links":{"self":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/35087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=35087"}],"version-history":[{"count":0,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=\/wp\/v2\/posts\/35087\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=35087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=35087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.shamusyoung.com\/twentysidedtale\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=35087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}