Last week, one of the most interesting cyber security stories of this year ended up being drowned out under the news of the Yahoo breach. The story in question was about a distributed denial of service (DDoS) attack against a site owned by Brian Krebs, a well-known security researcher.
By all accounts, last week's DDoS was the largest attack seen to date. In fact, Akamai ‒ a service provider well known for being able to handle large DDoS attacks ‒ was forced to relent and remove Brian's site out from under its protection systems.
So what is a distributed denial of service (DDoS) attack? Web sites are designed to handle traffic from a predictable number of visitors per day. Think of visits to a site as the number of emails you receive each day. A DDoS floods a site with far more requests than it is designed to handle. It does this by enlisting multiple computers to simultaneously send requests to the target in question. Since the infrastructure running the affected site isn't designed to handle such a large volume of requests, everything basically grinds to a halt. The outcome is that anyone who tries to legitimately access the site will get no reply. For example, imagine getting hundreds of thousands of new emails every minute ‒ you'll never be able to find or respond to legitimate mail.
So, how did Brian's attackers find so many computers to flood a single site at the same time? Here's the interesting bit ‒ it turns out they didn't use PCs or Macs. Instead they enlisted the help of thousands of compromised Internet of Things (IoT) devices, namely routers, IP cameras and digital video recorders. Stuff a lot of us have in our homes.
The fact is, many of us likely have compromised devices participating in these botnets and we don't even know it. If the router you got from your ISP or the Digibox you have plugged into your TV happened to be one of the devices that took part in last week's DDoS of krebsonsecurity.com, you probably didn't even notice. As a user, such actions have no impact on you or your home network. So you're probably never going to bother investigating or fixing the problem.
The manufacturers of these devices, for the most part, know what's going on, but they're not doing much about it. Even if they were to invest resources into creating patches for all of the devices out there, firmware upgrades often need to be installed manually, and we know from experience that most customers don't install them.
ISPs are also able to mitigate DDoS attacks to a certain extent, but not all of them are doing so. Again, it's expensive. Usability and the bottom line always end up trumping security.
By the way, compromised devices such as those used in this DDoS attack can be used for other malicious activities, such as sending spam or hosting malware.
In case you didn't know, DDoS attacks are now so common that anyone with a presence on the internet needs to take DDoS prevention into account. And that, of course, costs money, which we all end up paying one way or another.
DDoS attacks aren't being run by nation states or organised threat actors ‒ they're being run by anyone who can find a DDoS service on the internet and pay £20 per month. In fact, the reason Brian ended up being attacked was because he recently exposed the perpetrators behind one of the larger DDoS services out there.
Any website is a potential target for a DDoS attack. That can include your online banking site, your video streaming site or the servers that run the online games that you play. In the UK, DDoS extortion schemes against betting sites are so common that bookmakers either take into account paying off the extortionists or paying for high-end DDoS protection services as part of their yearly budget.
With more and more vulnerable devices being plugged into the internet every day, the potential for these attacks to get larger, cheaper and more prevalent rises. And this, in turn, impacts our ability to use online services without interruption. Very little is being done or can be done to stop this trend. So here we are: A frog sitting in a pan of water that's already getting hot and there's very little we can do about it.