Skip to main content

The wrath of DDoS

By October 31, 2016Article

2017 will see a staggering rise in both the overall number and scope of global Distributed Denial of Service (DDoS) attacks. The rise will be driven by increasing financial benefit to the attackers and the lack of service provider actions to stop them. Hackers are making money two ways. The first is targeted attacks where a specific company has something the hackers want. An example would be the SWIFT International heist where hackers made off with $81 million. Attacks like these are very targeted, take time – months – and are generally very methodical. The second form is extortion, which does not have to lock up your screen and demand Bitcoins. The mere threat of a DDoS attack, for example, has generated more than $100K for cyber criminals.  

Aside from extortion, DDoS attacks have proven effective just taking websites offline. Recently, content delivery network company Akamai was ultimately forced to stop hosting krebsonsecurity.com after being hit with a record-breaking DDoS attack. The decision to drop the website was done by Akamai as part of a business decision in hopes that the DDoS collective would leave them alone. Obviously, even big companies like Akamai fear the wrath of the DDoS perpetrators. 

DDoS riding the IoT wave 

Because of its effectiveness, DDoS has already seen triple digit growth (129 percent) in 2016 and is likely to see a larger surge in 2017. There are several main drivers to this acceleration. The pace in which malware developers are able to uncover vulnerabilities appears to be faster than systems can be patched. 

Another driver is the rush for companies to bring new IoT appliances to market with little thought as to how the device will stay patched against new strains of malware. Many of these devices are deployed with default username and passwords. 

There is also the growing population of existing IoT devices that are out of date, but still online. This is a huge and growing problem, making IoT devices an easy target for hackers to draw into their botnets. In fact, cameras and DVRs were largely the devices compromised that resulted in Brian Kreb’s site being taken offline.    

It has been clear for a while now that current cyber defenses can’t keep up with the growing problem. The rate at which armies of bots are growing is far outpacing the disjointed effort to get the problem under control.  

It may be surprising to learn that the DDoS problem could have been solved years ago with the cooperation of service providers. All DDoS traffic traverses service provider networks to reach the intended target, and service providers hold the key to mitigating the problem. The more surprising point may be why service providers have not been implementing the fix to the problem: it comes down to incentive. 

Lack of incentive 

Service providers have known for years how to resolve the DDoS problem but have largely ignored it for fear of lost revenues or lost customers. These losses can happen for a few reasons. If a service provider reports that one of its customers participated in a DDoS attack, that customer could be penalized or face legal action, alienating that customer. Additionally, if a service provider accidentally filters valid traffic and misses a service level agreement (SLA) guarantee, the service provider may have to pay penalties to that customer. 

On the surface, service providers have defended their position because of the complexity involved with implementing source address validation and the additional overhead it will place on the routers. Either way, it is the fear of lost revenues that is driving the outcome. Many service providers aren’t significantly impacted by DDoS attacks, so it has become much easier to let the problem slide and hope that other solutions rise to the top.  

What 2017 will bring 

Once again, 2017 will see active collaboration among leading service provider vendors on forums such as Nanog; however, no real action will take place. The solution has been clearly outlined in documents such as Best Current Practices (BCP) 38 issued by the Internet Engineering Taskforce (IETF), which has been the topic of many discussions with little action. Unfortunately, that will drive the DDoS attack problem to triple-digit growth in 2017. 

The consequences of not taking action may now come from government intervention, which may not happen until there is a major outage significantly impacting business. The fact that DDoS attacks are a global phenomenon will drive the need for a single government to start the process and then look to gain international cooperation. This is a long and arduous process that could allow for untold damages until a firm stance is taken. 

The trickle-down effect 

Even if legislation were to force service providers to universally contain DDoS traffic, there is still the challenge of getting infected devices in smart homes and at public WiFi spots cleaned up or taken off the internet. A series of laws for manufacturers in the IoT space may be required to ensure that devices receive timely updates and that increased security features are embedded to prevent devices from becoming easily infected. Features such as booting from read-only USB sticks, maintaining HTTPS connections to specific secure sites for customer internet access and requiring immediate registration of MAC addresses at the local CPE will go a long way toward making it difficult for malware developers to gain control of internet-connected appliances.  

Securing IoT devices 

Users and IT teams purchasing the latest IoT devices should refrain from allowing direct access from the internet by cutting holes in the local firewall. This will require IoT manufacturers to include instruction manuals for consumers. If direct access is required from the device to the internet, a secure VPN is one of the best strategies today. It is also a wise investment to choose a router/firewall that supports source address validation. The process of entering the MAC addresses into the home router goes a long way towards preventing the IoT device from spoofing its hardware address as well. To take it a step even further, internet access for IoT devices can be blocked from accessing sites other than the manufacturer for updates. This helps ensure that even if the device becomes infected, the DDoS traffic it generates never leaves the home. Finally, collecting NetFlow or IPFIX from a home router can be accomplished through the use of a free application like Scrutinizer to run reports and to view internet-bound traffic patterns. 

Michael Patterson is CEO of Plixer International. Previously, he worked in technical support and product training at Cabletron Systems. He joined professional services for a year before he left the “Tron” in 1998 to start Somix, which eventually became Plixer.