How Containers Can Help Prevent the Next Internet Attack

By now I’m sure you’ve heard of the Dyn outage that impacted large portions of the Web on Oct. 21, rendering some of the most popular websites unreachable. If not, there are plenty of write-ups that describe what happened. I won’t rehash the narrative here.

What I would like to do, however, is discuss how this DDoS attack is bound to change the process of software deployment, as well as overall IT security standards — especially regarding the Internet of Things (IoT). To understand why and how this affects you, let’s explore the details of what happened, whether it can happen again, and how you can revamp your software deployment process to avoid being crippled by a similar DDoS attack.

As you’ll see, one lesson from the Dyn affair is that combining containers Containers-as-a-Service, or CaaS, with the public cloud can help your organization avoid being the victim of the next such attack.

Before discussing CaaS, though, let’s start by understanding the fundamentals of the type of attack suffered by Dyn, which faced a DDoS onslaught.

In a denial of service (DoS) attack, the attacker attempts to render a computing resource (i.e. a server, a network, or an Internet service) unavailable to its intended users. This can be done from within, or by flooding the resource with an overwhelming number of external requests. In a distributed DOS (DDoS) attack, multiple attack vectors or multiple external servers may be involved so that blocking any single attacker won’t stop the DDoS attack. The key thing here is that it’s a widespread attack focused on a single resource.

The servers enlisted in the attack form what’s called a botnet, typically made up of zombie computers (those compromised to perform the attack), across a wide geographic area. To prevent widespread outages, most operating systems and Internet service providers protect their users’ computers from being enlisted in a botnet. However, with the Dyn attack, the usual defenses aren’t effective.

What makes the Dyn attack so unique? First, Dyn is a DNS service provider used to resolve the domain names of many high-profile websites. Without its services, users’ web browsers aren’t able to locate the applicable web sites’ servers. Second, the Dyn attack was powered by an open-source DDoS toolkit called Mirai, and it enlisted IoT devices such as DVRs and web cameras to form its botnet.

Even worse, this attack is guaranteed to happen again. In fact, it was already repeated more than once during the day that it occurred last week.

Mirai enlists hundreds of thousands of devices from a single manufacturer deployed in people’s homes around the world using built-in accounts where the root-level passwords are unchangeable. Given that Mirai is openly available, new actors can use it to launch their own DDoS attacks on a wide range of targets going forward.

Although the situation as described might seem bleak, there are steps you can take to protect yourself. As described below, some high-profile web properties have already prepared by utilizing a seemingly unlikely resource: the public cloud.

The words public cloud may send chills down the backs of corporate CIOs and CTOs, but although the cloud does create security concerns (i.e. data residency issues and risk), it can also help you eliminate them. For instance, deploying your software or services on multiple cloud providers will help you avoid outages if one of your providers is targeted in an attack. This is something Netflix is prepared for. The company continuously tests its preparedness for attacks like these using its Chaos Monkey family of tools. With this approach, the different cloud providers become part of your redundancy and disaster recovery plan.

Despite the advantages, the downside of using multiple cloud providers (i.e. the need for different sets of deployment tools, with varying procedures and manual workarounds for each provider) can quickly make this approach infeasible. Fortunately, one simple answer is to use a strategy based on containers. These include Docker, Kubernetes, and Mesos.

With a container-based deployment procedure, you abstract your services’ implementation from the underlying cloud provider’s infrastructure. You effectively isolate and lift the environment your application executes within, and then drop it onto your cloud provider’s servers as a unit. Taking this a step further, instead of standardizing on a single implementation like Docker, platform solutions such as Rancher (http://rancher.com) allow you to combine and manage Docker, Kubernetes and Mesos containers as a whole. The result is known as containers-as-a-service (CaaS), and it can be used to deploy your applications on any infrastructure.

If you want to deploy to multiple public clouds easily to mitigate the risk of DDoS attacks, then CaaS is a handy way to do it.

Focused attacks on critical Internet infrastructure such as Dyn threaten to undermine the availability of sites and services we all depend on. However, companies such as Netflix have proven that new deployment strategies based on DevOps, containerization, and the cloud are critical to defending against them. Looking back, the Dyn attack may prove to be the turning point in the standardization of security and deployment practices for devices and applications we all depend on.

For instance, Internet-deployed devices may one day need to pass a standard set of security and safety tests before being made available for purchase. Additionally, this attack may also be the catalyst for widespread adoption of DevOps deployment based on a CaaS strategy. As a result of this, we may soon experience a Web unaffected by the failure of entire sets of infrastructure, hence rendering DDoS attacks obsolete.