We have all seen DDoS (Distributed Denial of Service) attacks in the news over the last year, with attacks on Krebs and DYN making the front-page. What may not be apparent though is the storm of DDoS activity happening every day across the Internet, impacting businesses and end-users alike, writes Darren Anstee, Chief Security Technologist at the DDoS and threat intelligence software company Arbor Networks.
DDoS attacks have been around for over 20 years, but they have continued to evolve and grow and represent a significant business risk. There are three key problems that exacerbate this risk:
– Firstly, far more organisations are reliant on the Internet for interaction with their customers, suppliers, partners and employees. The adoption of cloud, mobility, and home-working means almost every business exists within a mesh of data and application services, and the availability of those services is critical.
– Secondly, DDoS evolution has accelerated since 2013, with rapid increases in attack scale, frequency and complexity. The peak attack reported to Arbor in 2016 was 800Gbps, a 60% jump from the previous year – and – Arbor’s ATLAS system tracked 558 attacks over 100Gbps during the year, up from 223 in 2015. On the frequency side of things there were also big jumps last year with 42pc of enterprises reporting an attack (53pc of government organisation, and 63 per cent of finance organisation) with almost half of those seeing more than 10 attacks per month, up from just over a quarter in 2015. And, attack complexity also increased with 67pc of service providers reporting multi-vector DDoS attacks (the most complex) on their networks, up from 56 per cent in 2015 and 32pc in 2014. DDoS has changed a lot.
– Thirdly, attackers have weaponised DDoS attack vectors, providing anyone with a few dollars access to huge volumetric attacks designed to saturate Internet connectivity, through to sophisticated multi-vector attack mechanisms.
But, it’s not just the attacks themselves that are changing – it’s also the hosts being used to generated the attack traffic. If we go back to the early noughties there was much talk of large networks of compromised home-user machines being subverted into DDoS botnets. Since then we have seen the rise of the packet cannons, compromised (or procured) data-center servers for generating high-volumes of attack traffic, being used in combination with mechanisms such as reflection amplification to launch attacks of 100s of Gbps. But 2016, without a shadow of doubt was the year of the IoT DDoS botnet.
The sheer number of IoT devices out there, and their lack of security features, makes them an ideal target for attackers looking to build out botnets. IoT botnets are nothing new, they have been with us for a few years, but 2016 saw a massive increase in the recruitment of IoT devices by bad-actors around the world. And we all saw the results.
Arbor has infrastructure in place across the Internet to monitor IoT botnet activity, and there is plenty. The honeypots that we have deployed masquerading as IoT devices show that a device can be targeted very quickly by other already compromised devices scanning IP address space – in some regions our IP addresses are targeted more than once per minute. Looking at the IoT botnet activities also goes some way to illustrating how IoT DDoS botnets have been weaponised – Arbor tracked over 11,000 DDoS attacks being launched by IoT botnets over a 3 month period – there is a storm of activity here. So, how do we protect ourselves?
Even if all IoT vendors suddenly decided to harden their devices and implement proper security measures many devices would never be patched or upgraded. Going forward better security within IoT devices is a must, but we need to be protected from those that are out there today. The first thing we should do is prevent our devices being leveraged by attackers. Individuals and businesses should implement best practice, segmenting their networks and putting appropriate access restrictions in place so that IoT devices can only communicate with relevant services and users. Default passwords should be changed and where possible the latest firmware updates installed to remove vulnerabilities. Monitoring should also be put in place so that unusual network activity can be identified and investigated quickly.
The above will ensure that our own devices are not a part of the current problem, but we should also ensure that we have the appropriate services and solutions in place to protect the availability of key Internet services from DDoS attack. Layered protection, incorporating a network perimeter component and a cloud / service-provider based services, is best-practice and can defeat DDoS attacks, maintaining connectivity and service availability – protecting business continuity.
The storm of DDoS activity happening every day across the Internet shows no sign of abating, in fact it is getting stronger – every business should ensure that it is well prepared, and has put the best available defensive services and solutions in place to deal with this risk.
