Defending Against DDoS Attacks

Episode Notes

Transcript

The Kennedy-Mighell Report

Defending Against DDoS Attacks

11/11/2016

[Music]

Intro: Web 2.0, Innovation, Trend, Collaboration, Software, Metadata… Got the world turning as fast as it can, hear how technology can help, legally speaking with two of the top legal technology experts, authors and lawyers, Dennis Kennedy and Tom Mighell. Welcome to ‘The Kennedy-Mighell Report’, here on the Legal Talk Network.

Dennis Kennedy: And welcome to Episode 179 of ‘The Kennedy-Mighell Report’. I’m Dennis Kennedy in St. Louis.

Tom Mighell: And I’m Tom Mighell in Dallas.

Dennis Kennedy: In our last episode we talked about how to start a podcast in our best advice for podcasters old and new? We had so much material that we didn’t get to all of it and we’ve actually been thinking about offering an online podcaster training course. Let us know if you might be interested in that because we think that’s something we’re going to pursue. This week we want to turn to a recent news story and the attacks on the Internet that made some popular websites difficult or impossible to access. Tom, what’s all on our agenda for this episode?

Tom Mighell: Well, Dennis, in this edition of ‘The Kennedy-Mighell Report’ we will indeed be talking about attacks, primarily those known as DDoS attacks and some practical ways to not become part of the problem.

In our second segment we’ll be talking about a hybrid approach to artificial intelligence that we’re calling lawyer in the middle, and as usual we’ll finish up with our parting shots that one tip website or observation that you can start to use the second that this podcast is over.

But first up, let’s talk about DDoS attacks in general, including a recent attempt that those of you who are listening might have experienced to some extent yourself. Before we get started, we should say that DDoS stands for Distributed Denial-of-Service and what it meant for you last week was that you might have had trouble accessing Amazon or Twitter or Netflix or CNN and hundreds — literally hundreds of other websites.

Before we can talk about how it happened I think we first need to understand what a DDoS attack is, and then we can kind of go into a little bit more after that, and once again, Dennis, I have positioned it so that you have to go first and provide a definition for us. So tell us what is a DDoS attack?

Dennis Kennedy: Well, I think that the typical way of explaining DDoS attacks is to first break it down and to just do describe the DoS attack, so denial-of-service attack, and then we’ll talk about what distributed means. So the denial-of-service attack is really this notion that if you flood a website with enough traffic you can overwhelm it. So think about you are going to a parking garage for a football game or something and everybody wants to go in the same entrance, basically you can cause such a jam-up that nobody can get into that parking garage. So that’s sort of the simple analogy of the denial-of-service attack. And we’ll get into how these things work and how you combat them, but in the denial of — the standard denial-of-service attack it’s coming from one computer or one IP address, and so the important thing to keep in mind but it’s this flood of traffic that just keeps the good traffic and the bad traffic basically drives a good traffic out.

What “distributed” means is that instead of coming from one computer, one device, one IP address, there’s a whole set of IP addresses and devices that this is coming from and so that ramps up the volume of the traffic substantially, you know, it just multiplies it and then it makes it really impossible to block, you know, the traffic from a certain computer or device or IP address because it’s coming from all over the places, and so these attacks can be quite overwhelming.

So “distributed” means it is coming from multiple computers and just the denial-of-service typically means it’s coming from one computer or IP address. So the ones that we are experiencing and the ones that cause most problems are the distributed ones because that generates just staggering amounts of traffic on a side. So Tom, how’s that for a definition?

Tom Mighell: I think that’s a good definition and I’m not really going to add to it other than to say that what’s interesting about a, both a DOS and a DDoS attack but we are mostly going to be talking about the distributed version today is that on the one hand it’s not very sophisticated, I mean, it’s just thrown a lot of stuff at a website with spam traffic that legitimate users can’t get through, but in able to do it in such a way that it either shuts the site down or really makes it a problem for the public to access it, it is kind of sophisticated because it requires a lot of planning and a good structure to do that and the way that these attacks usually occur is, you know, there aren’t enough bad guy computers out there to do something like this on their own and so what they do is they create what are you probably heard of before as a botnet and they go and enslave devices or in this case devices but sometimes when in the past we’ve talked about botnets really being computers that people have taken over vulnerable computers and have harnessed the computing power of that device in order to do their bidding.

(00:05:21)

And so, essentially in this case and the attack that came out on October 21, it was known as the Mirai botnet. It was a number of devices that not computers but actual devices that were connected to the Internet and there were quite a large number of them that were enslaved and were basically instructed to start throwing themselves at those individual — actually it wasn’t at the websites, it was at the backbone server the company that provides service to all of these hundreds of websites which in turn had been affected as well on those particular websites.

So that’s I think the basics for how it happened, do we want to maybe go into a little bit more detail about kind of what was concerning about the attacks and the fact that they were attacking these devices, Dennis?

Dennis Kennedy: Yeah, I mean, a couple of things that I want to say. So we’ve talked in the past about it and we did a whole episode on Chatbots, so you hear more about bots these days, so bots is a term that gets used in a lot of different ways. So botnet is sort of classically associated as time set with these sort of groups of computers or other devices that somebody else generally through malware has under their control and then they can launch these attacks of — so you sometimes think, oh, they’re going to infect my computer with a virus, or who would care about little old me and my computer, why would they want to put malware on it, it’s because they can use your machine to do something else.

And then also I think it’s worthwhile to say why in a world would somebody do this? And so, the denial-of-service attacks go back many, many years on the Internet and so it’s one of these things where you would say, can I take a site down, I am mad at somebody, that sort of thing. You may also do it where you’re trying to extort money from people so you take their site — their site becomes inaccessible at an important time to somebody or you can’t do transactions and then you say, we’ll stop the attack once you pay us or you do something like that.

So that’s typically what’s going on. It could be the precursor of some other attacks as well. Definitely if you have a DDoS attack going on and you find out about it then you’re probably more vulnerable to social engineering as people call you and try to help you and all those sorts of things. So you have to watch that.

So I think what was concerning about this one and there were several things was that this came from totally unexpected places and it’s a precursor of what’s coming with the Internet of Things, but from my reading of it, I think most of the attacks was actually coming from video cameras which is example of saying anything that’s connected to the Internet can be a threat vector because it can reach out and can be controlled, and I think the most important and concerning aspect is this was — I guess there are two things. So one it was directed at the backbone and got some really major sites, but almost all the problem was caused because people were using default passwords that they hadn’t changed.

Tom Mighell: And I think that what I’ve read about the attacks is, you are right, webcams were a big part of it, I’ve also heard that DVRs were also part of it in the past and an unknown to what extent it was and currently for this particular attack. But there are a lot of routers out there also who had been in slay because they come out of the box with a default password that people don’t change, and so you’re right, these devices are what they share in common is that they’re attached to the Internet, they only had those default passwords. Some of these devices have what they call hard-coded usernames and passwords, which means they are passwords that actually can’t change because they’re literally built into the system itself.

Now we’ve talked, and Dennis has already mentioned the fact that we were talking about the Internet of Things being a part of this and when we’ve talked about the Internet of Things in the past we’ve talked about things like the Nest Thermostat or your smart light bulbs or the smart door lock, the door lock you can lock when you forget to lock it and you’re happened to be around. But, I was listening and I will recommend now a podcast called ‘The Internet of Things’, podcast hosted by Stacey Higginbotham and Kevin Tofel, it’s a really great podcast for learning more about the Internet of Things and the different tools that they have. But they had the Chief Security Officer from Akamai on there who I think had a better definition.

(00:10:01)

He said that that really the devices that we’re looking at here are not really the Internet of Things, but they are things on the Internet, they are things that people would connect to the Internet and then maybe abandon them or forget that these devices were out there and that they were insecure devices.

So I think what makes the difference that we need to think about here is, what makes it vulnerable, is whether it’s got a direct connection to the Internet or it’s connected through a hub or to the cloud, and I guess, the best way to describe this is that, if a device has a port in it, like a router, there are ports that a router has in order to be able to communicate with the Internet and hackers routinely take advantage of these open ports to be able to invade and get through them. When a device, and I’ll use the Nest Thermostat, because hopefully you’ve heard about that smart thermostat before.

A device like the Nest Thermostat doesn’t work in the same way, it doesn’t have open ports, it connects actually through the cloud. So if I want to interact with it, I use the app on my phone and it connects and goes up into the cloud and connects with a server. It’s not a server itself so it’s not as vulnerable to an attack as say this router would be or an older DVR or as Dennis mentioned the webcams that are out there. And so, I think that that’s one difference that we want to make sure that there are some devices that really were not that vulnerable and this is what makes the differences, whether they had this open connection to the Internet and some devices do and some don’t.

Dennis Kennedy: And you touched on something too that I think is probably more technical than we want to go into this podcast, but there are several different types of DDoS attacks or some attack ports, some attack applications, some just attacked the site itself in its very simple terms. So somebody who is more technical is going to say, wow, you were super vague and not totally accurate about that, but it will give you an idea that there are different things that can be happening.

As we were working on this, you know, that I’ve just got crazy over this DDoS map which sort of shows the different attacks going on, on a world map it’s from — it’s called the Norse Attack Map which is map. HYPERLINK “http://www.norsecorp.com” norsecorp.com and you see a map of the world that you see these attacks in these radiating circles and it looks like laser beams going from around the world, you can see where attacks are happening from not in the US right now as I am looking, sometimes from china, but typically the attacks come from inside the US and from China are probably the most common attacks.

So I think if you just take a look at this map you get a sense of how much of this stuff is going on, and so — sorry Tom, I can’t just stop looking at this map, so maybe we should talk a little bit about the different types of ways that you defend from these attacks and it’s sort of worth — to me it’s sort of as you step through and think about what’s happening you see conceptually what you want to do and how just pure volume kind of overrides a lot of the defenses that you would think about. So you might think like, oh, if there’s an A in a denial-of-service attack, you say there is one IP address that’s sending everything. Well, I can block that IP address, but in the distributed ones where they are coming from, you know, thousand and thousands of IP addresses, you can’t do that without really knocking out customers or a good traffic. You can say if they’re all targeting a certain — my IP address will maybe if I change the IP address or I change to a different server then I’ve been able to route around that, but conceptually those are types of things you can do, but it’s not really that easy time, I mean, I think you almost always have to if you’re under a serious denial-of-service attacks or the DDoS attack.

Tom, I think you’ve got to be prepared and have either a third-party help or have that third-party assistance already in place.

Tom Mighell: Well, I don’t know that I completely agree with that. I think that you’re right, I think that being able to change an IP address or change a server is not a realistic thing to do, but I think that the best advice that I’ve read about and when I’ve heard about is really to start focusing, I mean, if this particular DDoS attack arose out of attacking the devices that we use that are connected to the Internet then that’s where you start. You go to the devices that you use and you examine them one at a time and make some determinations about them.

Now the unfortunate thing is, it’s really hard to tell whether you have a compromised device. There’s going to be you’re going to have a list that I’m going to post on there. There’s a service called IoT Scanner that you can use to see if your devices have open ports, so you can protect against one version of a DDoS attack.

(00:15:09)

There are lists of devices that are popular host for this type of malware, so you can check your device against that as well; but, if you find out that you have a device that has hard-coded usernames and passwords really the advice that I’m seeing most often is, “get rid of it”, “burn it”, “it’s not useful”. Even in those cases where you might be able to wipe the malware off the device, because that’s usually what happens is they inject some sort of malware into these — the webcam or the DVR. Even if you’re able to remove it, the fact that these bots are out there, they’re scanning so fast, the thinking is, is that you’re going to get it back on to that device as soon as possible.

And so what you really want to do is to have a device that meets a couple of qualification. So one, not have a hard-coded password. You want to make sure that it’s something that once you set it up or as you’re setting up, it forces you to change the password. It doesn’t give you the option; it doesn’t say if you’d like to keep admin as your password, you can do that. So you have to change the password. There have to be over the air updates. One of the things that makes these current smart devices and IoT devices better is that they receive updates over the air and they’re constantly being updated. The router that I used to use all the time didn’t have that. I had to force a firmware update and I have to go in and do that whenever I thought about it.

So make sure that it offers those over-the-air updates, and then also has regular security patches because even though we might think that some of these devices are not as vulnerable, you never know when the hackers are going to find a way to get through to some of these devices. So I think that the best defense is starting or maybe we will say that it’s a good offense, making sure that the devices you have are as secure as you can possibly make them.

Dennis Kennedy: Yeah, and I think there’s two parts of — two aspects of the defense. So one is, if I’m thinking about my website and how I protect it from DDoS attacks, part of it is that I may not even notice it, like how often do we check our own websites to know whether anybody is getting through to it? You are probably going to notice it on an eCommerce site, because you’re not getting transactions, and that’s where you may start to avail yourself of the different types of services out there. And then the other key part is, I think you do not want to become part of a botnet yourself, where it’s your camera, your computer, your router that’s part of a big attack that’s where you are going like, I don’t know why I can’t get the Netflix and really your own stuff is part of the problem.

So I think Tom’s comments there definitely makes sense. I’ve also seen things recently saying that just getting a new router every couple of years is really important. So I don’t know how old most people’s routers are that came with their Internet Service in their house and how often that firmware gets upgraded or any kind of update or whether people even know what the passwords on them are anymore. So there’s just a bunch of things out there that you need to be concerned about, and I just think the more you can do not to be part of the problem, becomes one of the best things you could do and then realizing that you’re under attack, it’s probably something you are going to find out some way unless somebody is going to let you know that unless you’re doing some kind of monitoring or regular testing. And I think it just becomes also on an eCommerce site it’s going to become part of your security audit is to say, what are the things that are out there?

Certainly, Tom, that’s what I had in mind. I think this is a really great topic that people need to know about has affected us, it’s kind of like an area of security, not everybody thinks that much about, but do we think there’s more DDoS attacks to come?

Tom Mighell: Oh certainly, I mean just after this whole Mirai botnet came out the people that were responsible for released the source code into the public, which I think all that guarantees that other attacks are going to come and I think that they are still happening around the world. Even though the major attack that many of us may have experienced is over, you’re certainly showing from that Norse website that denial-of-service attacks are happening, whether those are related to the Mirai botnet or different is not clear.

But, I think that that’s the nature of the DDoS world. I think that they are always trying to find new ways and better ways, but if you think about the fact at how far things have evolved from just this plain old denial-of-service attack, they continue to evolve and security continues to evolve to meet it. And so I’ve already read a number of articles about companies that are developing protections that are coming.

(00:19:59)

And that there’s one guy who has posted a prototype for a competing botnet that can essentially inoculate a Mirai botnet to do it. And so, I think that having it out there also spurs the good guys trying to find out the right ways to deal with it.

So I’m encouraged, I think that we individually need to play our part to make sure that we’re making smart decisions about the devices that we use and are protecting our things appropriately, but I think that I don’t think it’s a Chicken Little – The Sky is Falling type thing. I think we just need to be careful and trust that the people who are trying to look out for us are continuing to do a good job about that.

Dennis Kennedy: Once again, and security is the notion of layers so you have different layers of protection out there. And I think that, again, broadly and generally speaking in the DDoS world, you’re talking about a cloud service that kind of protects your servers and provides filtering and a layer of protection.

So that’s the one side, the other thing that’s really interesting about this and how this evolves time is what I will call, Botnets-as-a-Service or DDoS-as-a-Service. So apparently, with some of these botnets — so whatever thousands of computers or devices that you can launch these things from, you can buy time to use them, for like $200. So if you want to launch a DDoS attack of your own, because you’re mad at somebody, for $200 you can get the ability to use one of these botnets sitting out there to launch your attack. So never underestimate how clever people could be out there.

Tom Mighell: It does not surprise me one bit that profit is a significant motive of things like this.

Dennis Kennedy: All right, before we move on to our next segment, let’s take a quick break for a message from our sponsor.

[Music]

Advertiser: Looking for a process server you can trust, ServeNow.com is a nationwide network of local prescreened process servers. ServeNow works with the most professional process servers in the industry, connecting your firm with process servers who embrace technology, have experience with high volume serves and understand the litigation process and rules of properly effectuating service. Find a prescreened process server today, visit  HYPERLINK “http://www.servenow.com/”www.servenow.com.

Tom Mighell: And now, let’s get back to ‘The Kennedy-Mighell Report’. I am Tom Mighell.

Dennis Kennedy: And I am Dennis Kennedy. There has been a lot of discussion about Artificial Intelligence and lawyers lately, including a podcast we did earlier this year. Much of the talk tell us to go toward the extremes. Will lawyers be replaced by AI soon? And the question is really easy to answer dismissively. I mean, AI is not going to replace lawyers for a long time if ever, but that’s actually to me not even an interesting AI question.

So there’s an AI concept called Human-in-the-Middle and we want to adapt that to lawyers and AI and refer to Lawyer-in-the-Middle as a concept. So Tom, you put the definition burden on me in the first segment, so I’m turning the table, what do we mean by Lawyer-in-the-Middle?

Tom Mighell: Well, I’m expecting you fully to tell us that, because I’m getting the sense that our B segment is becoming about topics that I — that are out there that I just like the average lawyer have trouble wrapping my head around. So here’s the best way that I can describe it, and then, Dennis, I’m going to need for you to take the ball and run with it and actually do a good job of describing it. The way that I understand Lawyer-in-the-Middle is not relying upon AI to do the whole job, but make sure that there’s a lawyer present to guide the process.

And so, if you think of a lawyer actually standing in between an artificially intelligent agent on both sides of it, so that an artificially intelligent agent is providing feedback and data to the lawyer so that the lawyer can make decisions to provide orders or commands to another AI agent, so that that AI agent can then go out and do things that helps to, I guess, continue to keep humans within the process, but make it not just a purely artificially intelligent activity that goes on.

So that’s as far as I get in the process, Dennis, I need for you to bring it home and to explain not only what I meant when I said that, but also why lawyers need to care about this.

Dennis Kennedy: Well, I think that for lawyers who are partners in firms, you think it is the infinite associate pool, so that the associates never wear out, so you can have them do stuff for you and work with you, but it’s sort of all kidding aside. I think this is a really important notion, because as I said, people are going like, well, is AI going to replace lawyers? I think that the answer is, AI is always going to augment humans and then we’re going to look at the tasks that we could do, and Tom, I think you put it kind of perfectly, is that we need to have the human or the lawyer in the middle to say, okay, so how do we direct the input that we’re getting from the intelligence.

(00:25:10)

And then also say, okay, now the output needs to go to these other things where the next action or analytics need to occur, and then the feedback has to be interpreted by the lawyer in the middle. And so I think that if you start to say I looked at the notion of augmentation of what lawyers do of figuring out what tasks are most appropriate for lawyers to do, what tasks are most appropriate for computers or machines or software to do, then I think the whole area of artificial intelligence gets really interesting. And it goes back to one of my favorite lawyer topics is like what is it that lawyers really do well and what does it make sense for lawyers like us to keep doing and what does it make sense for the computers to do for us. And so this is a really interesting concept, the Human-in-the Middle thing has started to become — you see it more often, certain sense, with the IBM’s Watson with the chess programs and stuff like that, where it’s the combination of artificial intelligence plus the human that is where the most interesting things are happening.

So that’s what I have Tom, but I think it’s now time for our Parting Shots, that one tip, website, or observation you can use the second this podcast ends. Tom, you want to get it away?

Tom Mighell: I will take it away and back onto more familiar 26:33 for me. So my Parting Shot this episode is called 60DB. It’s an app, it’s right now only out for iOS users, but I’m sort of hoping that they also come up with something for Android. And it’s a podcast app; it’s a podcast app that the best way to describe it is, it’s a little bit like having Flipboard.

If any of you used to the Flipboard app, it’s like Spotify Discover. There’s a playlist in Spotify that tries to bring you new content all the time, but it’s both of those together in a podcast app. And what it aims to provide you with is short form podcast. Podcast of 10 minutes or less that you can listen to in bits and pieces on any subject that you’d like, and it tries to learn from you. So that as you choose things to listen to, I don’t know that you can subscribe to anything, it’s kind of just providing you with things, but it will increasingly get better and better and smarter about serving you the kinds of stories that you want. I’m intrigued by this because you know sort of a teaser, Dennis and I are thinking about bringing more of a short-form podcast to you listeners in the future. And I like the idea of being able to kind of see what others are doing with the format and it seems like the 60DB app is the perfect way to do that, it’s right now in the iOS App Store.

Dennis Kennedy: So it sounds like podcast listener in the middle is well 27:50. So I feel like I’m doing like the two Parting Shots on a regular basis now Tom, but just a really quick one, so, you and I are both involved in Law Technology Today, and the Board of Legal Technology Resource Center, the ABA has been doing roundtable on a monthly basis and they have collected them all in one easy to find URL which is going to be www.lawtechnologytoday.org/category/roundtables. And so, we’ve been doing these for more than a year, and so a great group of people answered questions in roundtable format, so totally worth checking out.

And then the other thing Tom I want to recommend to you specifically as well because we’ve been talking about how we want to do more automation, and so one of the places you look is the workflow app in iOS. And so, there’s a podcast I’ve liked that talks about how you can do really practical things in the iOS environment. So they did the first one on an app called workflow, which we’ve talked about before. It’s called the Basics, they are going to do a couple of these. It’s Episode 22. And it’s technical, but if you’re interested in learning how to use this automation tool to do things, this I think is the tutorial that really made sense for me.

I want to listen to it while you are riding your bike as I did it. It’s probably best to listen to it while you’re actually trying to do something, but at the end of this podcast you will figure out a way to automate a way of entering text in English and translate into Italian. So there’s like a way to accomplish something and they walk through the basics of the workflow app and I guess that was a really good podcast and I’m looking forward to the rest of the series.

Tom Mighell: Well Dennis has talked about the canvas podcast before I highly recommend it, just for those of you who use iOS. It’s a great podcast to listen to and I will also highly recommend the workflow app. I’ve used it, I don’t use it as much as I probably could or should, but it is I think a very powerful way of getting things done in the iOS world. So that wraps it up for this edition of The Kennedy-Mighell Report. Thanks for joining us on the podcast. You can find show notes for this episode at  HYPERLINK “http://www.tkmreport.com” tkmreport.com.

(00:30:08)

If you like what you hear, please subscribe to our podcast in iTunes or on the Legal Talk Network site, where you can find archives of all of our previous podcasts.

If you would like to get in touch with us, please email us at  HYPERLINK “mailto:[email protected]” [email protected] or send us a tweet. I am @TomMighell and Dennis is @denniskennedy. So until the next podcast, I am Tom Mighell.

Dennis Kennedy: And I am Dennis Kennedy, and you have been listening to The Kennedy-Mighell Report, a podcast on legal technology with an Internet focus. Help us out by telling a couple of your friends and colleagues about the podcast.

Outro: Thanks for listening to The Kennedy-Mighell Report. Check out Dennis and Tom’s book, ‘The Lawyer’s Guide to Collaboration Tools and Technologies: Smart Ways to Work Together’ from ABA Books or Amazon, and join us every other week for another edition of The Kennedy-Mighell Report, only on the Legal Talk Network.

[Music]