What We Are Seeing with Recent DDoS Attacks and Immediate Measures to Consider

By: Adam Isles, Principal and David London, Director

A major distributed denial of service (DDoS) attack occurred last Friday, October 21, disrupting Internet communications throughout parts of the United States in several waves.

When a DDoS attack occurs, it leverages a large volume of compromised, or poorly configured devices, to flood a victim with unsolicited Internet traffic. The attack overwhelms the targeted system and results in degraded or discontinued service availability.

 

The potential effects of DDoS attacks are numerous and can impact any enterprise that relies on the Internet to do business by:

  • Delaying or denying the availability of corporate IT networks (corporate websites, email, cloud applications, etc.),
  • Interrupting or preventing access to operate Internet-connected devices and industrial control systems connected to the Internet, and
  • Creating secondary impacts resulting from the cascading effects of a more directly targeted (or less well protected) third party.

Among security professionals, there is growing concern over the number of increasingly disruptive DDoS events occurring over the past several months and the potential for wider impacts on the US economy.

Friday, October 21st DDoS Incident

The most recent example targeted a firm called Dyn, which provides core Internet services for large companies with a significant web presence. The company suffered a DDoS attack on its DNS (Domain Name System) infrastructure.

This particular attack targeted Dyn’s DNS servers, which resolve alphanumeric DNS names (e.g., cnn.com) to the IP addresses that computers use to communicate with each other. The system enables users and devices to conduct core Internet functions like web browsing and e-mail transmission.  Dyn reported several waves of attacks over the course of the day. Prominent companies like Twitter, Amazon and Spotify were reportedly degraded for varying periods of time.

Increasingly Disruptive DDoS Attacks

Several other recent DDoS attacks have demonstrated unprecedented potency. Attacks in August and September of this year on cyber blogger Brian Krebs’ website, Olympic websites, and French Internet Service Provider OVH have reportedly ranged between 540 gigabits per second (Gbps) and 1 terabit per second (Tbps).  By way of comparison, the 2012-2013 DDoS attacks on major banks, unprecedented at the time, were a fraction of this size, peaking at 60 Gbps.

Another concerning element seen in recent attacks is the ability to influence or control compromised Internet-of-Things (IOT) devices.  The malware source code used to compromise these devices, as reported to have been used in the Dyn attack, was recently published in a US-CERT Alert by the Department of Homeland Security.

The Chertoff Group remains concerned that, as the volume of compromised IOT devices increases, so does the potential scale of follow-on DDoS attacks that leverage such devices.

Steps to Consider

It is important to note that DDoS risk should not be viewed simply as an IT risk – it constitutes an enterprise risk and should be treated as such.  While facts are still unfolding around the recently reported DDoS attacks, organizations should consider immediate steps to mitigate potential risk. These include both IT/IOT and non-IT/IOT measures:

  • Ensure that any IOT default passwords have been changed (both to prevent device compromise as well as to ensure that your organization does not become an unintended DDoS attack weapon).
  • Limit Internet-facing devices as much as possible.
  • Where possible, update Internet-facing devices with security patches as soon as patches become available.
  • Review, and update as needed, service level agreements (SLAs) with DDoS mitigation providers.
  • At the enterprise level, review business continuity plans for consideration of potentially extended periods of degraded/lost Internet service, both for your organization and critical third party service providers.
  • Consider the development of a DDoS risk management strategy (if not already in place), including preventive, detective, response and recovery-related measures.