Distributed Denial-of-service (DDos) attacks involve flooding a website with traffic to prevent legitimate users from being able to access it. It is the cyber equivalent of jamming so much gunk into a drain pipe that water can’t pass through.
Many large companies with sophisticated cyber defences used to prepare for DDos attacks of around 200Gbps (gigabits per second). Until recently the largest-known attack was about 500Gbps. We’re now seeing DDos attacks of between 600Gbps and 1Tbps (terabits per second). An attack of this size would blow most companies’ cyber defences out of the water. A third-party provider of cyber defence might fare no better. The business interruption (BI) caused by one of these attacks could be enormous, particularly for companies whose sales pipeline is largely internet-based.
Rising scale of attacks
The scale of recent attacks has shifted dramatically in just the last few months. In September last year, we saw the world’s largest single targeted DDos attack when security blog Krebs on Security – a regular exposer of cyber criminals – was flooded with more than 650Gbps of traffic. Krebs on Security used cloud-hosting giant Akamai Technologies to protect against DDos attacks. However, the attack was nearly twice as big as any Akamai Technologies had seen. In the end Akamai Technologies cut off the website, and Google had to step in and mitigate the attack.
DDos attacks don’t just affect the directly attacked company. In October last year, a huge number of internet-connected devices – from security cameras and video recorders to home routers – were hijacked and used to direct huge amounts of junk traffic to servers operated by US-based Dyn. Dyn provides domain name system services for various websites. When Dyn went down, hundreds of websites – including those belonging to GitHub, Twitter, Reddit, Netflix, AirBnb – became inaccessible for several hours.
The rising frequency and scale of DDos attacks could continue in 2017, driven by the Internet of Things (IoT) and the proliferation of smart devices (TVs, fridges and so on) which provide cyber gangs with a far greater range of weapons from which to access the internet. For example, the attacks against Krebs on Security and Dyn were initiated from IoT devices compromised by the Mirai botnet malware. Mirai malware targets and enslaves IoT devices – such as routers, digital video records and webcams/security cameras – and then uses them to conduct DDoS attacks.
With the proliferation of smart devices only likely to increase, this will play into the hands of cyber gangs. Smart devices, while convenient, are not built with rigorous security in mind. Their front doors are weaker than most people imagine. In some cases, cyber gangs can log into devices using their factory-set passwords, which many people still don’t change.
There is a huge onus on smart device manufacturers to improve the security of these devices. Part of manufacturers’ response is likely to involve fostering better cyber security awareness among customers – for example, by encouraging all users to change passwords and providing the facility to automatically patch a device when a vulnerability is detected.
This will not happen overnight, however. Current IoT devices often don’t have the memory and processing to be secured properly and even if every user changed their passwords on smart devices, it would still be relatively easy for adversaries to compromise them.
The key infrastructure providers of the internet will also need to identify and implement effective ways of detecting and controlling such attacks. Only a combined effort has a chance of success.
So what practical steps can companies take to minimise the threat of DDos attacks? If you have a DDos attack mitigation plan, now is the time to re-examine it. In light of recent attacks, your plan might be insufficient.
Questions to ask include: Do you have a business continuity (BC) plan in place that covers a large-scale DDos attack on your company? After an attack, how would you continue to trade, and how would you inform customers of what had happened?
If you outsource your attack mitigation to a third-party provider, talk to them as soon as possible. Ask if your provider is aware of these recent attacks and, if so, what is it doing in response? How confident is the provider that it can mitigate a DDos attack of 500, 600 or even 700Gbps? How exposed is the provider itself to such an attack? What is your contractual position? Would your provider drop your sites to protect their service?
The recent Allianz Risk Barometer listed BI as the top global risk for the fifth year running. It also noted that the number of non-physical causes of BI was only likely to increase. If you don’t have a DDos attack mitigation plan in place, now is the time to implement one. What we’ve seen so far could be just the beginning.
Peter Erceg is senior vice-president, global cyber and technology, at Lockton.