The distributed denial of service (DDoS) attack has long been a favourite of people who want to harm a website. It’s a significant technology threat to businesses.
The motive might be a grudge against the site owner, a political goal, or a wish to hurt a competitor. Sometimes the threat is a tool for extortion.
A DDoS attack works by installing malware on a large number of computers on the Internet, then having them all bombard the target with requests. The requests are usually harmless in themselves, but the sheer quantity slows down the server’s response to legitimate requests or forces it offline. It’s like being in a sandstorm: no single grain can do any harm, but the total effect is deadly.
Catching the perpetrator is hard. The attack is indirect, from many sources. Often the person who wants to take down a site pays an Internet racketeer to do the job, so it’s hard to trace the assault by its motive.
Big Attacks from Small Devices
Two huge denial of service attacks took place in late September. One targeted the blog Krebs on Security. It may have been retaliation for Brian Krebs’ previous reporting on the professional denial-of-service operation vDOS. Akamai, which provided Krebs with protection from such attacks, reported it was the largest one it had ever seen.
Shortly afterwards, another attack hit the hosting company OVH.com. The attack came in multiple waves and peaked at nearly a terabyte per second. The motive for the attack isn’t clear; the target could have been OVH or any of the sites and services it hosts.
What’s significant about these attacks isn’t just their size, but a shift in means. In recent years, a huge number of Internet-connected “smart devices” have come onto the market: security cameras, DVRs, thermostats, refrigerators, even light bulbs. They’re full-fledged computing devices, running scaled-down versions of major operating systems such as Windows and Linux. In most cases, they have absolutely wretched security.
IoT Devices aren’t Secure
The companies that sell them aren’t computer companies, and they’re competing on price, speed to market, and ease of installation. The people who put them into their homes and businesses don’t think of them as computers. Many have default passwords that anyone can find out, and they have no ability to upgrade themselves to patch security holes. It’s easy for malware to take them over and make them part of a “botnet,” a network of computers controlled from a malicious “command and control” centre.
Since there are so many devices with little protection, grabbing control of “Internet of Things” devices allows really large attacks. Reports indicate that this approach accounted for a large part of both the OVH and Krebs attacks.
When they aren’t conducting an attack, these machines can spread malware to other vulnerable devices. It’s like zombies turning more victims into zombies.
We can only expect more of these. Even if manufacturers started producing secure devices today, a huge number of unsecured ones are installed. We can expect them to have a longer service life than the average computer; people don’t replace their refrigerators or DVRs every two to three years. Future laws may make the manufacturers of devices liable or require them to include security measures, but the ones already on the Internet will stay there for a long time.
More Denial of Service Attacks are Coming
The source code that was used to attack Krebs’ site is now publicly available. Inevitably, more attackers will use the code. We can expect more large-scale attacks.
We don’t know how this shift will play out. For the present, attackers have gained an advantage, but security experts will work on countermeasures to detect and block these attacks. Whatever happens, businesses will have to learn about and use the latest defences to hold off mass attacks by simple devices.