Denial of Service (DoS) attacks have been around as long as computers have been networked. But if your business relies on the Internet to sell products or collaborate, a DoS attack is more than a nuisance, it can be critical.
Over the past few years, the number of DoS attacks has continued to slowly grow in a “cat and mouse” evolution — bad actors get a slightly stronger attack, and network vendors come up with slightly more resilient equipment to defend. Generally the attacks came from botnets comprised of infected computers and servers. The cost of acquiring and keeping these systems in the botnet was relatively expensive, so there was an economic limiter on how fast the attacks would grow. Then Mirai happened in 2016 and everything changed.
The Mirai botnet didn’t struggle with corporate security teams and technical security controls like anti virus software and firewalls.
Instead, it focused on the millions of Internet of Things (IoT) devices like webcams and Internet routers in the home to build the botnet. With no security controls to overcome, the Mirai botnet was able to grow and launch Distributed Denial of Service (DDoS) attacks larger than ever seen before. A high-profile attack against Internet journalist Brian Krebs signaled that things had changed, then the October 2016 attack against DNS provider Dyn, showed how devastating a DDoS attack can be. And in the world of a cyber criminal, devastating is where the profit opportunities lie.
According to an Arbor Networks’ report at the end of 2016, “In 2016, IoT botnets emerged as a source of incredibly high volume DDoS attacks. So far these massive attacks have not leveraged reflection/amplification techniques. They are simply taking advantage of the sheer number of unsecured IoT devices that are deployed today.” (PDF) The report goes on to highlight that the number of DDoS attacks was up significantly over 2015 and the average size and time of the attack has also increased. “The longest DDoS attack in Q4 2016 lasted for 292 hours (or 12.2 days) – significantly longer than the previous quarter’s maximum (184 hours, or 7.7 days) and set a record for 2016,” according to Kaspersky’s DDoS Intelligence Report for Q4 2016. Knowing that cyber crime is fueled by profit motives now, it is safe to assume that the cyber criminals have figured out how to monetize the IoT threat and we can expect this growing trend in attacks to continue.
We have confirmation of this trend from DDos prevention provider, Corero. According to their most recent analysis, “Organizations are now experiencing an average of 8 DDoS attack attempts per day, up from 4 per day at the beginning of 2017, fueled by unsecured IoT devices and DDoS-for-hire services.” Massive DDoS attacks are getting all of the press attention, but they are only part of the story. What is most interesting about the analysis, however, is the discovery that, “A fifth of the DDoS attack attempts recorded during Q2 2017 used multiple attack vectors. These attacks utilize several techniques in the hope that one, or the combination of a few, can penetrate the target network’s security defenses.” In other words, the criminals’ objective often isn’t the denial of service, but using overwhelming noise at the perimeter to hide malware injection and data exfiltration activities.
DDoS has joined other cyber crimes as a well established, profitable exploitation technology. For as little as $20 per hour, anyone can take advantage of DDoS-as-a-Services and launch an attack at their target of choice. The opportunity to profit from Ransom Denial of Service, where companies pay to avoid being DDoS’d, to using DDoS as a mask for other profitable cyber crime activities means we haven’t seen the end of the growing trend in Denial of Service attacks.