National Cybersecurity Awareness Month
Last October, the internet broke, or stuttered, depending on who you ask. One year later, those vulnerabilities remain and a year from now, connectivity will still be at the mercy of attackers.
DDoS attacks have become commonplace, but that doesn't limit the potential negative impact on businesses.
In a domain analysis of the top 100 U.S. websites — which includes companies like Netflix, Twitter, YouTube, Reddit, Amazon.com and Wikipedia — only 32 sites had DNS provider redundancy, according to Ron Winward, security evangelist at Radware.
While some companies did make changes, and could have gone with a different provider with a bit more network robustness, 68 of the top 100 websites do not have DNS provider redundancy.
If another larger-scale attack were to hit their service provider, many of the sites could go down once again.
The massive DDoS attack on DNS provider Dyn, disrupted connectivity to major sites like Netflix, Twitter, Spotify, GitHub and Reddit.
You don't need tens of thousands of bots in order to cause damage for somebody.
Though Dyn suffered in the attack, with more than 14,000 internet domains dropping its service in the aftermath, the DNS provider was likely not the true target.
Rather, attackers highlighted a choke point in the internet: If a service provider is taken down, an attack can have far greater impact. Though Dyn was directly targeted and impacted, customers using its services could have lost business and revenue as a result of the attack.
But when DDoS attacks reach the scale of the one targeting Dyn, companies are left little recourse for defense.
"There's only so much you can do with a DDoS attack to protect against it," said Adam Meyers, VP of Intelligence at CrowdStrike. "When you start talking about millions upon millions of nodes that are coming from all over the internet and sending traffic your way — blocking that becomes certainly a whack-a-mole type of game."
In response to the massive attack, security experts were quick to once again extol the virtues of redundancy measures — a best practice that experts have recommended for nearly two decades. But a year later, not much has changed.
Best-practice defense aside, the Dyn attack put the spotlight on IoT security. Gartner predicts more than 21 billion IoT devices will be used globally by 2020. But providers have been slow to change their approach to securing devices.
Whether it's a smart refrigerator or a smart toaster or a camera, people see IoT devices as "single-purpose embedded devices," said Meyers. People need to work to better secure them because "not only did the good guys and the defenders see the problems that Mirai exposed, but the bad guys saw that as a potential thing that they want to get into."
Attackers can create new tools using the Mirai botnet that "are better, faster, stronger," said Meyers. "If you do that, then you're going to be running the DDoS game."
"When you start talking about millions upon millions of nodes that are coming from all over the internet and sending traffic your way — blocking that becomes certainly a whack-a-mole type of game."
VP of Intelligence at CrowdStrike
In the last year, the prevalence of DDoS attacks has only increased. More than one-third of organizations faced DDoS attacks in 2017, compared to 17% in 2016, according to a recent survey of more than 5,200 people from Kaspersky Labs. And many of those organizations claim the attacks served as a smokescreen, used to cover up other incidents that had created "severe financial and reputation damage."
While Dyn may have been the attack that brought attention to DDoS attacks mainstream, both the attack and methodology are not unique and will likely continue to persist.
There is one curious thing that has changed since the Mirai botnet code was released, leading up to and following the Dyn attack.
"Since releasing that code to the public, the number of botnets has increased, but the quantity of enslaved devices in those botnets has dramatically decreased. It's basically because of infighting that happens for the bots," Winward said. "We have factioning of these armies of botnets. More people are fighting for resources and the pool of resources in each [botnet] army is smaller than it was a year ago."
Though botnets may get smaller, attackers don't need to create 1.2TB botnets to wreak havoc. In Winward's lab, he was able to use five IoT devices to take down a single, fairly high-end corporate firewall. "You don't need tens of thousands of bots in order to cause damage for somebody," he said.