Primer: What DDoS attacks could mean for IoT
When a headline screams something like “worst DDoS ever,” it’s often accurate.
Distributed denial-of-service attacks, which deluge targeted sites or services with traffic to force them offline, have been growing in strength and scope for decades. And although organizations can do certain things to mitigate the impact of an attack, our seemingly ever-increasing usage of Internet-connected devices is likely only inviting more DDoS trouble.
DDoS attacks have been around since the Stone Age of the Internet: The first recorded denial-of-service attack dates back to 1974. And more than 20 years later (and almost 20 years ago, in August 1999), researchers recorded the first distributed denial-of-service attack, as hackers took down computers at the University of Minnesota for two days with a tool called Trinoo.
Over the following years, government agencies, political parties, corporations, schools, and even small businesses increasingly found themselves in the crosshairs of DDoS attacks. And it became impossible to talk about DDoS attacks without mentioning their use by activist hackers, or hackvists, to conduct “virtual sit-ins”—or by others to harass or extort various targets.
On the first day of March this year, the largest DDoS ever struck the computer code-sharing site GitHub. At about 10:21 a.m. PDT, Internet traffic flooded GitHub’s servers for 9 minutes, peaking at more than 1.35 terabytes of spoofed data per second, coming from more than 1,000 unique sources, rendering the site inaccessible. Thanks to an exploitation of a misconfiguration of memcached servers, which normally allow sites to load faster, the scale of the attack was amplified by a factor of 51,000.
It was the largest-ever recorded DDoS attack—until five days later, when Arbor Networks detected a 1.7Tbps attack targeting a U.S. corporation.
Carlos Morales, Arbor’s vice president of global sales engineering and operations, didn’t offer many details about the attack, on an apparent customer of his employer. But in a blog post he crowed about how Arbor was able to stop the attack before it affected the customer’s business.
“It’s a testament to the defense capabilities that this service provider had in place to defend against an attack of this nature that no outages were reported because of this,” Morales wrote.
This target might have quickly patched or disabled the memcached protocol on its servers. Such defenses can fend off attacks that would otherwise cripple websites and services for millions of users.
Bob Rudis, the chief data scientist at Rapid7, noted in a blog post that the number of misconfigured memcached servers vulnerable to DDoS attacks dropped from 18,000 to fewer than 12,000 in the five days following the March attacks.
“We’ve never really seen a drop this large in a publicly exposed service,” he wrote. “Even the WannaCry disaster did not prompt a serious decrease.”
Staying on top of software updates, including vulnerability patches, is also increasingly important. More than 40,000 computer servers are at risk of becoming conscripts in the next major DDoS assault because they haven’t been patched and updated, according to a study published last week by cybersecurity company Rapid7.
Of course, not all DDoS attacks (or mitigation methods) are the same, cautions Marc Rogers, chief security officer at security startup ScaleFT.
“DDoS has evolved as information warfare has evolved,” Rogers, the former head of information security at Cloudflare, told The Parallax via instant message. “It used to be about just throwing junk at sites,” he says, “to knock them offline.”
Now, Rogers says, it’s as much about “influencing or controlling access to information” as it is about “blocking access.” He points to recent DDoS attacks against official online comment forums on the Federal Communication Commission’s Net neutrality decision, or on the Brexit decision, which prevented consumers from sharing their opinions on pressing political decisions with officials.
“4chan loves to do that kind of attack,” he says. “It’s easy for nontechnical people to have massive impact…Just a few thousand people using scripts can bring an enterprise to its knees.”
Just as attack methods are evolving, so are their targets. Today, connected devices collectively known as the Internet of Things—often equipped with poor hacking defenses, if any—are poised to play a growing role in large-scale DDoS attacks.
As the Internet of Things expands, Rogers says, DDoS attacks could become increasingly popular and nuanced. Although hackers aren’t yet readily manipulating connected devices in DDoS attacks to target communication systems, he points to at least one instance where they have.
In 2016, he says, security company Sucuri found that hackers used a DDoS attack to take down the site of a small jewelry store after hacking its Internet-connected security cameras. The attack used “three fake user agents and performed 50,000-plus requests a second, so [it was] pretty small,” Rogers says—but effective.
IoT-initiated attacks like this one, he says, are smaller in scale and less potent than traditional DDoS attacks. But because they attack the “application layer,” or specific parts of the website or service itself, they’re harder to differentiate from “normal” website traffic and therefore harder to stop.
Even without a boost from IoT devices, application layer attacks are becoming more common. In its Global DDoS Threat Landscape Report for the fourth quarter of 2017, cybersecurity software maker Imperva reported that the attacks “nearly doubled” from the previous quarter.
“The increase in attack persistence reflects the growing ease with which bad actors can launch multiple DDoS attacks,” according to report author Igal Zeifman, Imperva’s director of marketing. “Today, even if a mitigation service is able to deflect an initial attack, perpetrators have every reason to try again and again, until they take down their target, or grow bored and move on.“