WEBVTT - The Zombies Are Attacking 0:00:04.400 --> 0:00:07.800 Welcome to tex Stuff, a production from my Heart Radio 0:00:11.800 --> 0:00:15.680 Heathen and welcome to text Stuff. I am your host, 0:00:15.920 --> 0:00:21.000 Jonathan STRICKLINN. I am an executive producer and apparently vampire 0:00:21.440 --> 0:00:25.760 at I Heart Radio. How the tech are you? Okay, 0:00:25.760 --> 0:00:30.080 I'm dropping in now you all got the cringe out 0:00:30.080 --> 0:00:33.559 of the way. First thing. We're done with that. But 0:00:33.720 --> 0:00:39.560 we are in spooky season as I publish this October 0:00:39.600 --> 0:00:43.000 of two thousand twenty two. And you know, I don't 0:00:43.040 --> 0:00:46.280 typically do episodes that relate to spooky stuff, but I 0:00:46.280 --> 0:00:47.800 thought it would be fun if I did a few 0:00:47.880 --> 0:00:54.080 this month that are tangentially maybe questionably themed to be 0:00:54.200 --> 0:00:58.120 halloween ish. This gets a little tricky in tech. I mean, 0:00:58.160 --> 0:01:01.000 I have done episodes about stuff like the tech in 0:01:01.120 --> 0:01:05.880 professional haunted house attractions and stuff like that, which it 0:01:06.000 --> 0:01:09.680 is great, but you know, I can't really revisit that. 0:01:09.680 --> 0:01:12.840 There's not a whole lot more to say. I did 0:01:12.920 --> 0:01:16.479 do a classic episode with my co host Chris Palette 0:01:17.000 --> 0:01:24.000 about ghost hunting technology or so called ghost hunting technology. 0:01:24.200 --> 0:01:26.600 Maybe I'll do an update to that because it's been 0:01:26.720 --> 0:01:30.800 so long since I recorded that that episode, and uh, 0:01:31.000 --> 0:01:34.319 and I always like getting my dander up about stuff 0:01:34.319 --> 0:01:37.200 like that. But you know, pickens are slim when you 0:01:37.240 --> 0:01:40.640 look at stuff that you can theme toward Halloween in 0:01:40.680 --> 0:01:45.640 the tech space. But yesterday in the news episode, I 0:01:45.680 --> 0:01:49.320 talked about how some activists who at the very least 0:01:49.320 --> 0:01:54.680 are sympathetic to the Kremlin, used distributed denial of service 0:01:54.680 --> 0:01:58.600 attacks or de DOS attacks against a dozen or so 0:01:58.880 --> 0:02:05.040 US airport websites. Not air carriers, not the airlines, mind you, 0:02:05.160 --> 0:02:08.680 but the airport websites. And the attacks brought down some 0:02:08.680 --> 0:02:11.880 sites for a few hours, but otherwise had very little 0:02:11.919 --> 0:02:16.280 impact on travel. Now you might say, okay, but how 0:02:16.280 --> 0:02:21.320 are you connecting di DOS attacks to Halloween. Well, the 0:02:21.720 --> 0:02:26.639 tenuous connective tissue is that to to pull off the 0:02:26.760 --> 0:02:32.120 d DOS attack, hackers first have to assemble a bot net, 0:02:33.320 --> 0:02:38.440 which is a collection of compromised computer systems. And another 0:02:38.520 --> 0:02:43.520 phrase that sometimes describes a bot is zombie, and bought 0:02:43.560 --> 0:02:46.680 net would be a zombie army. So you have these 0:02:46.760 --> 0:02:52.919 zombie computers and so zombies. It's totally thematic, right. Okay, 0:02:53.000 --> 0:02:55.760 let's start with a baseline before we get to distributed 0:02:55.840 --> 0:02:59.920 denial of service attack. Let's just start with denial of service. 0:03:00.320 --> 0:03:03.280 What the heck is that? How does it work. Well, 0:03:03.880 --> 0:03:07.760 let's think of the Internet as a giant, interconnected mess 0:03:07.800 --> 0:03:12.520 of clients and servers. There there are other components there too. 0:03:12.800 --> 0:03:15.960 I am oversimplifying it down to clients and servers. So 0:03:16.320 --> 0:03:19.560 servers are the machines that hold the stuff that we 0:03:19.639 --> 0:03:23.679 want to access online. Maybe we are logging on to 0:03:23.800 --> 0:03:27.680 play an online game and the game exists on a 0:03:27.760 --> 0:03:31.640 server somewhere out on the internet, probably exists on several servers, 0:03:31.639 --> 0:03:35.440 and we just connect to a specific one. Or maybe 0:03:35.480 --> 0:03:39.119 we want to order food online using an app, Well, 0:03:39.160 --> 0:03:43.800 that service is hosted on another server somewhere online. Or 0:03:43.880 --> 0:03:46.200 maybe we just want to pop onto the web and 0:03:46.320 --> 0:03:48.880 visit a news site and read up on the headlines, 0:03:49.000 --> 0:03:52.040 while that news site is on another server somewhere out 0:03:52.080 --> 0:03:56.040 there on the web. So the basic way the Internet 0:03:56.080 --> 0:04:01.480 works is that you access a client of One example 0:04:01.480 --> 0:04:03.920 of a client would be a web browser on your computer. 0:04:04.280 --> 0:04:08.240 That's the client. So that's your point of access to 0:04:08.240 --> 0:04:11.480 the Internet, and you want to see something specific, like 0:04:11.520 --> 0:04:15.600 that news site. Let's say, so you type in the 0:04:15.720 --> 0:04:18.840 u r L for the news site into your browser 0:04:19.480 --> 0:04:22.360 and the browser sends out a message that goes across 0:04:22.400 --> 0:04:26.119 the Internet and it gets directed to the specific server 0:04:26.520 --> 0:04:30.159 that houses that you are l The server receives this 0:04:30.279 --> 0:04:34.200 request from your client, and then it replies to that request. 0:04:34.240 --> 0:04:37.320 It sends the files that represent the front page of 0:04:37.360 --> 0:04:41.200 that news site to your client your web browser. Your 0:04:41.240 --> 0:04:44.159 web browser then displays those files as a web page 0:04:44.200 --> 0:04:46.640 to the user. In a way, this is the most 0:04:46.720 --> 0:04:49.679 simplified method to describe what's going on with the Internet 0:04:49.720 --> 0:04:53.400 in general and the web in particular. The specifics get 0:04:53.440 --> 0:04:56.400 a little more sophisticated than that, but from a very 0:04:56.480 --> 0:05:00.680 high level, that is what's happening with web traffic, without 0:05:00.680 --> 0:05:04.520 getting into things like packets and routing and all that 0:05:04.600 --> 0:05:10.080 kind of stuff. Now, sometimes stuff goes wrong in this process. 0:05:10.560 --> 0:05:13.320 You know, maybe the server that's holding the files you 0:05:13.320 --> 0:05:15.520 want has gone offline for some reason, so you get 0:05:15.560 --> 0:05:19.360 an error back because your request could not be answered. 0:05:19.440 --> 0:05:22.120 The server that would normally be there for some reason 0:05:22.320 --> 0:05:26.800 isn't there. Maybe there are issues between the client and 0:05:26.839 --> 0:05:29.480 the server. So it's not that the server has an 0:05:29.480 --> 0:05:31.960 issue or that your client has an issue, but something 0:05:31.960 --> 0:05:36.200 in the middle is causing some problems, or maybe the 0:05:36.279 --> 0:05:40.000 client connection goes down, like maybe your home internet has 0:05:40.160 --> 0:05:44.640 gone down and that's the problem or maybe the server 0:05:45.040 --> 0:05:47.800 is online. There are no other issues between your client 0:05:47.839 --> 0:05:51.640 and the server, but the server itself is currently overwhelmed. 0:05:52.440 --> 0:05:57.279 Now that can happen naturally without malice involved. So let's say, 0:05:57.360 --> 0:06:01.880 for example, that word gets out out a new video 0:06:01.920 --> 0:06:06.400 game console. Let's say, and everyone knows when that console 0:06:06.560 --> 0:06:09.520 is officially going to go up for pre order, and 0:06:09.600 --> 0:06:12.520 you can go straight to this company's website and sign 0:06:12.600 --> 0:06:15.799 up for a pre order the moment it becomes available, 0:06:15.800 --> 0:06:17.359 and you will be first in line to get this 0:06:17.440 --> 0:06:20.719 brand new video game console. And lots of people know 0:06:20.800 --> 0:06:23.520 about this, so tons of people are interested and invested 0:06:23.560 --> 0:06:28.159 in this. So the appointed hour arrives and now millions 0:06:28.160 --> 0:06:31.080 of people around the world are all frantically attempting to 0:06:31.120 --> 0:06:34.159 connect to the same server to put in their pre order, 0:06:34.760 --> 0:06:37.599 and the server is just overwhelmed by the mass of 0:06:37.720 --> 0:06:41.520 incoming traffic and it slows down the servers of ability 0:06:41.560 --> 0:06:45.200 to respond to the requests. So everyone's starting to experience 0:06:45.240 --> 0:06:48.479 these long delays as they try and connect, and you 0:06:48.520 --> 0:06:52.080 get increasingly frustrated because you're waiting and waiting and waiting 0:06:52.080 --> 0:06:55.039 for a web page to load in your browser, and 0:06:55.080 --> 0:06:59.640 the servers doing its best to respond to demands. Sometimes 0:06:59.680 --> 0:07:02.599 this kind of situation can be enough to actually cause 0:07:02.680 --> 0:07:06.719 the server to crash entirely, which is even more frustrating 0:07:06.760 --> 0:07:08.680 because then it has to go through the whole reboot 0:07:08.680 --> 0:07:11.800 process before you can connect to it again, and that 0:07:11.880 --> 0:07:15.400 obviously makes matters more frustrating. And like I said, this 0:07:15.480 --> 0:07:18.200 all can happen naturally just due to demand. We've seen 0:07:18.240 --> 0:07:21.680 it happen multiple times, even in modern day, like we 0:07:21.720 --> 0:07:24.760 saw it happen a lot early in the days of 0:07:24.800 --> 0:07:29.600 the web because of unexpected demand, but it still happens 0:07:29.600 --> 0:07:33.840 today too. However, this thing that can happen naturally can 0:07:33.920 --> 0:07:38.400 also be caused to happen artificially. A nefarious person can 0:07:38.440 --> 0:07:41.640 try and create that sort of situation on purpose. Now 0:07:41.680 --> 0:07:44.920 this brings us to a denial of service attack or 0:07:45.040 --> 0:07:48.160 DOS attack D O S big D little oh big S. 0:07:48.720 --> 0:07:51.680 All right, So there's an analogy that I love to 0:07:51.800 --> 0:07:54.040 use when talking about denial of service. I'm going to 0:07:54.160 --> 0:07:57.880 use it again. So imagine for a moment that anytime 0:07:58.040 --> 0:08:02.200 anyone rang your doorbell or knocked on your door, you 0:08:02.280 --> 0:08:05.720 absolutely had to go answer the door. You couldn't pretend 0:08:05.760 --> 0:08:09.120 not to be home or ignore it. You are compelled, 0:08:09.320 --> 0:08:12.320 you have no other option. You have to answer the door. Now, 0:08:12.960 --> 0:08:15.160 let's say you're at home and you've decided that you 0:08:15.200 --> 0:08:18.160 want to make yourself snack. You're feeling peckish, so you 0:08:18.200 --> 0:08:20.520 start to head to your kitchen, but then someone rings 0:08:20.560 --> 0:08:23.280 the doorbell, so you turn around and you walk to 0:08:23.480 --> 0:08:26.360 the front door and you open it, but there's no 0:08:26.400 --> 0:08:29.040 one there, so you close the door and you head 0:08:29.080 --> 0:08:31.200 back inside. You start heading back to the kitchen, but 0:08:31.480 --> 0:08:33.559 you get two steps toward the kitchen and the doorbell 0:08:33.720 --> 0:08:36.040 rings again, so you do a one eight. You walk 0:08:36.120 --> 0:08:38.840 back to the door and you open it. There's no 0:08:38.880 --> 0:08:43.439 one there, those darn kids, And now you're getting irritated, 0:08:43.600 --> 0:08:46.080 possibly because you've got some low blood sugar going on 0:08:46.120 --> 0:08:48.360 because you haven't had your snack yet, So you close 0:08:48.440 --> 0:08:51.120 the door. You turn back to head toward the kitchen. 0:08:51.480 --> 0:08:53.880 Bing bong goes the doorbell and you turn around again 0:08:53.920 --> 0:08:56.840 to answer the door, and once again, no one is there. 0:08:56.880 --> 0:09:01.319 And this happens over and over, and because you are 0:09:01.440 --> 0:09:04.960 compelled to answer the door, you can't ever make any 0:09:05.000 --> 0:09:08.960 progress doing anything else, and then eventually you just collapse 0:09:09.040 --> 0:09:14.040 in frustration, starvation, and confusion and a denial of service 0:09:14.080 --> 0:09:17.440 attack is really similar to this. A basic one might 0:09:17.559 --> 0:09:20.440 be that someone is sending a message to a server, 0:09:21.400 --> 0:09:25.719 but the return address for this message goes nowhere, So 0:09:26.480 --> 0:09:29.640 it's a message that's going to a server, but the 0:09:29.679 --> 0:09:33.040 server has the wrong information about where that message came 0:09:33.040 --> 0:09:35.400 from and where it has to send its reply. So 0:09:36.440 --> 0:09:38.680 the hacker is just sending message after message to the 0:09:38.760 --> 0:09:42.160 server with this false return address, and the server has 0:09:42.200 --> 0:09:45.720 to answer each one. That's the server's job. So the 0:09:45.720 --> 0:09:48.640 hacker is just flooding the server as much as possible 0:09:48.679 --> 0:09:51.360 to bring it down, because the server can't just ignore 0:09:51.440 --> 0:09:55.920 incoming messages. If a server ignored incoming messages, the basic 0:09:55.960 --> 0:10:01.000 operations of the Internet would break down. Now, that kind 0:10:01.000 --> 0:10:03.720 of attack is actually not that hard to defend against 0:10:03.720 --> 0:10:05.640 because if you do detect it, if you detect that 0:10:05.679 --> 0:10:09.120 there's an unusual amount of traffic coming from a single source, 0:10:09.880 --> 0:10:13.120 um even if that source is a fake IP address, 0:10:13.559 --> 0:10:16.960 you can just block anything coming from there, and then 0:10:17.720 --> 0:10:21.640 you can keep accepting other traffic. And it's britty. It's, 0:10:22.480 --> 0:10:25.319 in the grand scheme of things, relatively easy to deal with. 0:10:25.720 --> 0:10:28.520 A denial of service attack a basic denial of service attack, 0:10:29.080 --> 0:10:32.920 but the denial of service attack is small change compared 0:10:32.960 --> 0:10:37.080 to a distributed denial of service attack. This is big 0:10:37.160 --> 0:10:41.400 D big D little oh big s d DOS. So 0:10:41.440 --> 0:10:44.880 to do ad DOS attack, a hacker needs access to 0:10:45.040 --> 0:10:49.520 a bunch of computers. This is the distributed part, and 0:10:49.559 --> 0:10:53.640 working together these computers, which could number in the millions 0:10:53.800 --> 0:10:58.560 for a particularly huge zombie army or bought net, they 0:10:58.559 --> 0:11:00.760 can all work together to send them just to a 0:11:00.840 --> 0:11:05.160 targeted server, which then gets bogged down trying to answer 0:11:05.480 --> 0:11:10.120 all these messages. Now, if this podcast were instead of book, 0:11:10.160 --> 0:11:12.360 I would have put a footnote up there when I 0:11:12.440 --> 0:11:16.120 mentioned large botton nets. It is hard to get a 0:11:16.160 --> 0:11:20.360 real figure for how big a boton net is it. 0:11:20.840 --> 0:11:23.160 You can make some estimates, but it's hard to get 0:11:23.400 --> 0:11:28.360 a firm grasp, largely because computers are not necessarily always 0:11:28.480 --> 0:11:31.480 on right. They're not always connected. You might turn your 0:11:31.480 --> 0:11:34.760 computer off, or you might your Internet connection might go 0:11:34.800 --> 0:11:39.280 down or whatever, and so it's not easy to actually 0:11:39.360 --> 0:11:43.440 quantify how big these buttonets can be. However, we have 0:11:43.559 --> 0:11:46.000 some general idea of some of the largest ones. So 0:11:47.120 --> 0:11:49.800 there was a botton net. Still is a bottonet associated 0:11:49.840 --> 0:11:54.120 with a trojan called Zeus that involved more than thirteen 0:11:54.200 --> 0:11:59.000 million computers, so they can be quite large. Also should 0:11:59.000 --> 0:12:00.800 add botton nets can be is for lots of other 0:12:00.840 --> 0:12:04.400 stuff besides the DOS attacks. That's like one of the 0:12:05.520 --> 0:12:09.360 easily identifiable reasons for a butt net, but there are 0:12:09.400 --> 0:12:12.240 other ones as well. Also, just adding that you should 0:12:12.280 --> 0:12:14.800 always be careful to make sure your machines don't become 0:12:14.840 --> 0:12:19.440 part of one, which means practicing good etiquette online. You know, 0:12:19.520 --> 0:12:23.240 making sure you're not downloading files that are coming from 0:12:23.320 --> 0:12:26.920 questionable sources, not clicking on links that are coming from 0:12:27.000 --> 0:12:30.959 questionable sources, all the basic stuff you know about. These 0:12:31.120 --> 0:12:34.960 are reasons why that's important to follow. All right, We've 0:12:34.960 --> 0:12:38.320 got some more to say about zombies, but first let's 0:12:38.360 --> 0:12:51.120 take a break. We're back, all right. So for ad 0:12:51.280 --> 0:12:54.840 DOS attack to work, first you have to actually gather 0:12:55.240 --> 0:12:59.280 your zombie army, and that alone requires a few steps 0:12:59.280 --> 0:13:02.160 of its own. So step one is you design or 0:13:02.559 --> 0:13:08.480 you make use of existing malware that compromises targeted computer systems. 0:13:08.760 --> 0:13:13.280 So if someone installs the malware, it creates a compromised 0:13:13.280 --> 0:13:16.280 computer system. So the goal is to create a means 0:13:16.320 --> 0:13:18.720 for a hacker to be able to send a command 0:13:19.240 --> 0:13:22.520 to the compromised machines that will then prompt the machine 0:13:22.559 --> 0:13:26.080 to follow orders the malware. It could be relatively simple 0:13:27.040 --> 0:13:30.120 where it just allows for this de dos attack approach, 0:13:30.400 --> 0:13:32.880 or it could be more extensive, and frequently is more 0:13:32.920 --> 0:13:37.840 extensive that allows a a wider spectrum back door access 0:13:37.880 --> 0:13:42.360 for hackers that could ultimately give a hacker administrator level 0:13:42.400 --> 0:13:45.240 access to a machine, which is obviously a really bad 0:13:45.280 --> 0:13:49.360 thing for that target machine. And that's really why you 0:13:49.440 --> 0:13:52.240 need to be super careful and practice good etiquette when 0:13:52.280 --> 0:13:55.920 you're online, because if you download certain types of malware, 0:13:56.080 --> 0:13:59.240 it essentially means you've just handed your computer over to 0:13:59.320 --> 0:14:02.600 a hacker. They're able to get back door access to 0:14:02.640 --> 0:14:05.160 your your system, they can look at all your files, 0:14:05.200 --> 0:14:08.400 they can lock it down. That's how ransomware works, where 0:14:08.440 --> 0:14:11.199 they locked down your computer system or locked down certain 0:14:11.240 --> 0:14:14.760 directories in your computer and then they demand a ransom 0:14:15.360 --> 0:14:18.839 and in return they will unlock those for you. So 0:14:19.280 --> 0:14:22.760 that this is again a reminder to be very careful 0:14:22.800 --> 0:14:26.040 when you're online. You don't want to hand over the 0:14:26.120 --> 0:14:29.320 keys to your system to some stranger, right, You just 0:14:29.360 --> 0:14:33.520 don't want to do that. Anyway, Lots of hackers make 0:14:33.600 --> 0:14:37.320 use of already existing tools. Uh, there's a much smaller 0:14:37.360 --> 0:14:41.120 group of them who are actually designing the tools. Those 0:14:41.160 --> 0:14:42.760 are the ones you really have to worry about. I mean, 0:14:42.800 --> 0:14:44.880 you have to worry about all of them, the ones 0:14:44.920 --> 0:14:48.080 who just make use of re existing stuff in order 0:14:48.120 --> 0:14:54.880 to advance their own agendas. Often they are dismissively referred 0:14:54.880 --> 0:14:59.840 to as script kitties. They're taking existing script or programming 0:15:00.320 --> 0:15:03.240 and making use of it, but they're not righting it themselves. 0:15:03.720 --> 0:15:06.240 Uh that that's a term that's often used for them. 0:15:06.280 --> 0:15:10.280 I find that term to be problematic simply because it 0:15:10.360 --> 0:15:15.400 doesn't reduce how potentially dangerous they can be. Uh. You, 0:15:15.800 --> 0:15:17.600 if you dismiss them and you think that they're not 0:15:17.640 --> 0:15:20.080 an issue, then you might be setting yourself up for 0:15:20.520 --> 0:15:24.000 being victimized. So I don't really like using the script 0:15:24.040 --> 0:15:29.960 kiddies designation anyway. A lot of the time hackers hide 0:15:30.120 --> 0:15:35.360 malware packages inside a larger, seemingly legitimate file, and this 0:15:35.440 --> 0:15:38.800 is called the trojan method. It's named after the trojan 0:15:38.880 --> 0:15:42.120 horse of ancient legend. So instead of packing a bunch 0:15:42.160 --> 0:15:46.520 of soldiers inside a big wooden horse, these digital trojan 0:15:46.560 --> 0:15:50.720 horses have a malware package hiding within them. So you 0:15:50.800 --> 0:15:53.560 designed the trojan to look like something else, maybe something 0:15:53.600 --> 0:15:56.720 that folks would really like to get hold of. This 0:15:56.800 --> 0:16:00.320 is one reason while you hear people cause UH and 0:16:00.400 --> 0:16:05.480 others about downloading pirated files, going to sources where you've got, 0:16:06.040 --> 0:16:10.160 you know, stuff that's like games and movie files and 0:16:10.200 --> 0:16:13.120 all this kind of stuff supposedly ready for you to download. 0:16:13.840 --> 0:16:18.240 It's not just that the matter of piracy itself is illegal, 0:16:18.360 --> 0:16:22.080 that you're essentially stealing, you know, the idea of downloading 0:16:22.120 --> 0:16:27.160 a product without paying for that product is stealing. But 0:16:27.200 --> 0:16:32.280 it's also that hackers will sometimes insert malware into files 0:16:32.640 --> 0:16:35.800 and they will hide those in pirate communities, like they'll 0:16:35.880 --> 0:16:39.080 they'll name the files something that people really want, you know, 0:16:39.160 --> 0:16:42.880 maybe it's like uh, an upcoming film that hasn't hit 0:16:42.920 --> 0:16:46.480 theaters yet, but it's supposedly elite copy of it, and 0:16:47.160 --> 0:16:48.320 you know, there are a lot of people who are 0:16:48.320 --> 0:16:50.240 curious about that, and they'll go through the trouble of 0:16:50.280 --> 0:16:53.160 downloading it. Well, you hide some malware in there, and 0:16:53.320 --> 0:16:57.440 whether it's the real film or not, you've delivered malware 0:16:57.480 --> 0:17:00.600 to someone and potentially commenced them to install it because 0:17:00.680 --> 0:17:04.480 you know, maybe you've compressed the file in some way 0:17:04.600 --> 0:17:07.359 and you've disguised it and people are clicking on it. 0:17:07.400 --> 0:17:09.800 They're just eager to get a look at this movie, 0:17:10.160 --> 0:17:14.240 and in the process they install malware to their machine. Also, 0:17:14.320 --> 0:17:18.040 if someone is illegally downloading files, that person is likely 0:17:18.600 --> 0:17:24.800 to resist speaking up about being victimized simply because they 0:17:24.840 --> 0:17:28.359 were already engaged in something that was questionable, right they 0:17:28.400 --> 0:17:32.479 were pirating files. It's it's that thought that if someone's 0:17:32.480 --> 0:17:35.000 being dishonest, they're not going to come forward when you 0:17:35.320 --> 0:17:38.359 have targeted them because they're worried about being found out. 0:17:39.200 --> 0:17:43.720 So it's it's identifying your target audience and the ones 0:17:43.760 --> 0:17:46.720 that are less likely to actually take steps to fix 0:17:46.800 --> 0:17:49.240 a problem if it pops up, so that can give 0:17:49.280 --> 0:17:54.080 hackers more time with these compromise machines, these zombie computers. 0:17:54.760 --> 0:17:58.679 So hackers build up their zombie armies, their bought nets 0:17:58.720 --> 0:18:02.520 by distributing the malware in various ways. The trojan method 0:18:02.560 --> 0:18:04.719 is just one of many. There are lots of others, 0:18:05.200 --> 0:18:08.560 and they monitor the botton net as it grows. You know, 0:18:08.600 --> 0:18:12.320 they're essentially administering the botton net in the back end. 0:18:12.440 --> 0:18:14.760 They have the ability to send out commands. This is 0:18:14.800 --> 0:18:19.000 why you get concepts like a zombie army because the 0:18:19.000 --> 0:18:23.240 the individual compromised devices are the soldiers of that army. 0:18:24.160 --> 0:18:28.879 The hacker ends up being the commander of that army 0:18:29.240 --> 0:18:32.520 and can send out commands to the entire army. And 0:18:32.640 --> 0:18:35.320 maybe the hacker doesn't take action right away. Maybe they 0:18:35.359 --> 0:18:39.280 just sit and wait. They have this growing number of 0:18:39.680 --> 0:18:43.000 devices that are part of their army, and they just 0:18:43.040 --> 0:18:46.320 wait until the time's right. In fact, it's even possible 0:18:46.359 --> 0:18:48.640 that they don't even have a target in mind yet. 0:18:48.680 --> 0:18:52.680 They just they compromise the machines. But it's really because 0:18:52.720 --> 0:18:54.560 they plan on doing an attack, but they haven't even 0:18:54.560 --> 0:18:57.880 decided who they're going to attack. That can sometimes happen too. 0:18:58.080 --> 0:19:00.399 But when the time comes, they send out the command 0:19:00.480 --> 0:19:03.240 to all these infected devices, at least the ones that 0:19:03.320 --> 0:19:07.400 are currently online, and they direct these devices to all 0:19:07.400 --> 0:19:11.359 start flinging messages at the target server and boom, you 0:19:11.480 --> 0:19:14.840 got your distributed denial of service attack carried out by 0:19:15.040 --> 0:19:22.280 zombie computers. Spooky. Now, de dos attacks can get more 0:19:22.359 --> 0:19:27.520 complicated than how I've described. For example, it's also possible 0:19:27.560 --> 0:19:30.600 to make use of compromised Internet of Things devices. They 0:19:30.640 --> 0:19:33.760 don't have to just be computers, and you may have 0:19:33.840 --> 0:19:37.440 heard me speak in past episodes about issues with IoT 0:19:37.600 --> 0:19:41.320 security in the past. Some companies are not very good 0:19:41.760 --> 0:19:46.800 at securing their devices properly, so you'll get a manufactured 0:19:46.800 --> 0:19:52.760 product there's poor security on that product. There's the assumption 0:19:52.880 --> 0:19:55.880 is just that it's not going to get targeted. UH. 0:19:55.920 --> 0:19:59.880 There's a great example of various manufacturers that have used 0:20:00.119 --> 0:20:04.679 common login and password for devices like including routers where 0:20:04.720 --> 0:20:09.560 there's a a generic UH log in and password, and 0:20:09.600 --> 0:20:12.080 if you know the generic logan and password for those routers, 0:20:12.080 --> 0:20:14.240 it means that you can access any router where the 0:20:14.359 --> 0:20:18.000 user has not made the effort to change those and 0:20:18.880 --> 0:20:22.520 as you might guess, most people don't go to that effort. 0:20:22.680 --> 0:20:26.040 Most people fail to go in and change the default 0:20:26.040 --> 0:20:29.199 settings on their various devices, which means if you know 0:20:29.320 --> 0:20:32.920 the default log in, you can access those devices right 0:20:33.040 --> 0:20:35.040 even if you don't have access to other stuff on 0:20:35.080 --> 0:20:38.760 the network. So then hackers can get access to a 0:20:38.880 --> 0:20:42.320 very large installed base of Internet of Things devices in 0:20:42.359 --> 0:20:45.480 this way. For Scout Research Labs looked at more than 0:20:45.560 --> 0:20:50.240 eight million devices in the IoT field and they found 0:20:50.240 --> 0:20:53.400 that there are some particularly weak examples and they happen 0:20:53.480 --> 0:20:57.200 to be in very important places. They found that one 0:20:57.760 --> 0:21:00.960 category of device of IoT device that tends to have 0:21:01.040 --> 0:21:05.880 pretty weak security our medical devices. That is terrifying. They 0:21:05.920 --> 0:21:11.280 also found that networking equipment was particularly weak with security. Again, 0:21:11.760 --> 0:21:16.080 this is like the infrastructure, the bones upon which everything 0:21:16.200 --> 0:21:20.720 is built, and those are weak points in a way, 0:21:20.800 --> 0:21:23.040 it almost doesn't matter how much security you've built on 0:21:23.080 --> 0:21:25.119 top of everything else. If you can get at the 0:21:25.160 --> 0:21:30.120 underlying networking equipment, you can cause some real havoc. So 0:21:30.240 --> 0:21:33.240 it's possible to direct these kinds of devices to also 0:21:33.320 --> 0:21:36.720 send Internet traffic to a targeted server. So a zombie 0:21:36.800 --> 0:21:40.840 army may not be composed of computers. It could include 0:21:40.840 --> 0:21:44.960 stuff that's well outside your typical computer. And as more 0:21:45.000 --> 0:21:48.800 devices joined the Internet of Things, this problem continues to grow. 0:21:49.520 --> 0:21:52.480 And while companies like cloud Flare, which we'll talk about 0:21:52.920 --> 0:21:55.320 in a couple of minutes, have really come up with 0:21:55.359 --> 0:21:58.960 some mitigation strategies to deal with de dos attacks, the 0:21:59.000 --> 0:22:02.720 attackers are always looking for other ways to be effectived. 0:22:02.840 --> 0:22:05.879 DOS attacks can also be sophisticated in other ways. So 0:22:05.960 --> 0:22:09.439 I gave a big overview of how de dose works. 0:22:09.480 --> 0:22:12.080 But while that is an overview, you need to know 0:22:12.119 --> 0:22:15.520 that there are different types of de DOS attacks that 0:22:15.600 --> 0:22:20.360 target different elements or layers of a network, So you've 0:22:20.359 --> 0:22:24.720 got you know, you can think of networking as different layers, 0:22:24.720 --> 0:22:31.280 with each layer corresponding to a specific subset of UM tasks. 0:22:31.880 --> 0:22:34.560 And I'm not going to go into the full layer description. 0:22:34.600 --> 0:22:36.520 I've done episodes about that in the past, but my 0:22:36.600 --> 0:22:40.520 point is that ad dose attack can target a specific layer, 0:22:41.160 --> 0:22:44.280 and if you use ad DOS attack that targets multiple 0:22:44.359 --> 0:22:48.400 layers using lots of different computers, that becomes a very 0:22:48.400 --> 0:22:51.800 sophisticated de DOS attack, one that is much harder to 0:22:51.840 --> 0:22:55.800 defend against than one than ADDS attack that targets just 0:22:55.840 --> 0:23:00.080 a single layer, like the web server layer that I 0:23:00.160 --> 0:23:03.159 kind of described earlier, the one that took down the 0:23:03.200 --> 0:23:06.000 airport websites that I mentioned at the beginning of this episode, 0:23:06.520 --> 0:23:10.199 that was a very simple de DOS attack. It was 0:23:10.240 --> 0:23:13.720 attacking a specific layer, just one, so it wasn't a 0:23:13.760 --> 0:23:17.480 multi layer attack UM and so was therefore easier to 0:23:17.600 --> 0:23:20.520 defend against. But they don't all have to be like that. 0:23:20.560 --> 0:23:25.120 They can be a multi layer attack from multiple vectors, 0:23:25.160 --> 0:23:29.720 and that becomes a much more challenging issue to defend against. 0:23:30.400 --> 0:23:33.879 And you know, the goal is almost always to gum 0:23:34.000 --> 0:23:37.200 up the network so that traffic slows to a crawl 0:23:37.320 --> 0:23:41.080 or it crashes entirely. So the goal is usually the 0:23:41.160 --> 0:23:44.680 same goal, right, You're just trying to disrupt connectivity to 0:23:44.800 --> 0:23:48.600 a specific target, But there are different ways of doing that, 0:23:48.640 --> 0:23:53.720 whether you're attacking the server itself or you're attacking elements 0:23:53.720 --> 0:23:58.760 within the Internet that direct traffic to that server. And 0:23:58.800 --> 0:24:01.000 maybe in the future episode I'll go into more detail 0:24:01.080 --> 0:24:03.640 about that, but that's going to require like a full 0:24:03.720 --> 0:24:07.160 length episode, so we're gonna leave that for now. We're 0:24:07.160 --> 0:24:09.440 also going to take another quick break. When we come back, 0:24:09.480 --> 0:24:12.840 I'm gonna talk more about cloud Flare and how cloud 0:24:12.880 --> 0:24:16.399 Flare helps protect against things like de dos attacks and 0:24:16.480 --> 0:24:20.920 keep us safe from the zombies. But first this break. 0:24:30.200 --> 0:24:32.960 All right, before the break, I mentioned cloud Flare, which 0:24:33.040 --> 0:24:37.000 provides several services, not just protection against de dos. But 0:24:37.040 --> 0:24:40.920 that's one that a lot of people relate cloud Flare too. 0:24:41.240 --> 0:24:43.800 They think of that as like a company that protects 0:24:44.480 --> 0:24:50.200 other companies from unwanted massive amounts of traffic, in other words, 0:24:50.240 --> 0:24:55.360 de DOS attacks. This is tricky because, at least initially, 0:24:55.359 --> 0:24:58.800 a de dos attack can look like legitimate traffic to 0:24:59.160 --> 0:25:02.760 a server, and you know you don't want to block 0:25:02.920 --> 0:25:08.119 legitimate traffic, right, You don't want to proactively cut people 0:25:08.200 --> 0:25:10.600 off from connecting to a server. The whole point is 0:25:10.760 --> 0:25:14.200 of services to allow clients to connect to them, and 0:25:14.280 --> 0:25:16.919 so if you are blocking off all traffic, then there 0:25:17.000 --> 0:25:18.640 might as well not be a server there at all. 0:25:19.840 --> 0:25:23.800