Millions of household IoT devices were affected by the malware Mirai on October 21st 2016, they were further instructed to deliver data requests to Dyn, a widely used Domain Name Server (DNS) that functions like a switchboard for the Internet. This requests crashed more than 175,000 domains—including Twitter, PayPal, and other web giants—for several hours, implicating tens of millions of users.
But is it safe to say that the Internet is back stronger after four years?
Carnegie Mellon University CyLab has swt out a team of researchers for a new study intended at giving clarifications at this week’s Internet Measurement Conference.
“It seems that the lessons learned from the 2016 Dyn attack have only been acted upon by a handful of websites that were directly impacted,” says Aqsa Kashaf, a Ph.D. student in Electrical and Computer Engineering (ECE) and lead author of the new study.
The success of the Mirai-Dyn attack in 2016 was due to what Kashaf and her team refer to as significant dependencies. The domains involved in the attack by the Mirai-Dyn were completely dependent on Dyn, a third-party DNS.
To evaluate how websites have (or have not) been altered since the 2016 attack, Kashaf and her co-authors examined 100,000 of the largely popular websites as rated by Alexa Internet, a web traffic analysis company. They check out the dependencies of those websites in 2016 and then related them with dependencies in 2020.
“Since the Dyn attack had such a huge impact, you would think websites would adapt as a result,” says Kashaf.
“We interpret this to mean that the most popular websites care more about availability than the less popular ones,” says Kashaf.
The researchers also concentrated on dependencies of two other services linked with conveying content to users online, both of which are conducted in a second when a user navigates to a website:.
Identical results were discovered, slight modifications in critical dependencies comparable to 2016, however, the most prominent websites had reduced their dependencies.
Websites are not foreign to issues of critical dependencies, according to the researchers. They operated two preliminary case studies of two other sectors—hospitals and smart home companies—and discovered that third-party dependencies make these sectors susceptible to Mirai-Dyn-like attacks as well.
“One obvious recommendation for websites is that they should build in more resilience and redundancy when using third party services,” says Kashaf. “…and service providers need to support and encourage this redundancy. You can’t have just a single point of failure.”
As a solution, the researchers foresee inventing a tool that would enable web administrators to effortlessly evaluate and scrutinize their own website’s dependency structure, assigning them to make knowledgeable determinations in selecting new service providers.