Distributed denial of service attacks grew into a huge threat in 2016. Two massive DDoS attacks made the news within a month of each other. On September 20, an attack hit the website of security expert Brian Krebs. At its peak, it flooded the site at 620 Gbps. On October 21, an attack disabled the DNS provider Dyn, indirectly making a number of big-name websites unavailable for most of the day.
The situation will undoubtedly get worse before it gets better. The basic reason for this gloomy forecast is the growth of botnets. People who launch DDoS attacks don’t use their own equipment. It would be too easy to find and block them and then arrest the perpetrators. Instead, they use an army of devices that have been compromised by malware. The devices’ owners seldom realize they’re being used for evil purposes. In recent years, the size and ability of botnets has grown larger than ever, for several reasons:
- The increasing availability of high Internet speeds. High-speed broadband is common in homes, and businesses are moving up to higher speeds. Normally this is great, but it means that any device in a botnet can send out more packets per second, letting it do more damage.
- The availability of botnet software. The big name in 2016 was Mirai, a freely software package which can drive attacks by a huge botnet. Infected devices will take part in attacks at the direction of a command and control server. They also scan the Internet for other devices that have weak security. Mirai extends its reach by logging in to poorly secured devices and installing itself on them, and not by sending deceptive email. Mirai-infected devices are found all over the world.
- The Internet of Things. Manufacturers have been pouring cheap network-capable devices into the market in huge quantities. Refrigerators, DVRs, thermostats, and even light bulbs provide extra convenience through remote control and reporting. Many of these devices have extremely weak security, such as default passwords that are difficult to change. Mirai and similar software can find these devices and install malware on them.
- Increased sophistication of attacks. The traditional attack methods are brute-force. TCP connection attacks try to use up all the connections a server can support. Volumetric attacks flood the server with data. Application attacks, also known as Layer 7 attacks, rely on knowledge of how an Internet application works to send it requests that will consume the greatest amount of resources. They can often slip past defenses that block other attacks. DDoS software is getting better at using application attacks.
- DDoS as a service. People who want to launch an attack don’t need to know how to do it themselves. They just need to make a deal with a criminal operation that provides DDoS as a service (with the clumsy abbreviation DDoSaaS). The buyer picks the target and pays an agreed amount, with more money buying a bigger attack. The people believed to be behind one of the biggest operations, called vDOS, were arrested last year, but others are taking their place.
Motives for launching attacks vary greatly, and it doesn’t take a lot of motivation when buying one is simple and cheap. Some people, such as the ones who attacked Krebs’ site, want revenge. Others are trying to extort money from their targets. Some believe they’re promoting noble causes. Intelligence agencies might be signaling their government’s displeasure with another government.
Security methods that keeps unauthorized users and malware out won’t stop a DDoS attack. The best defense is reserve capacity, failover servers, and an infrastructure that avoids single points of failure. Services are available that will stand by to mitigate any attacks. A sufficiently large attack will overwhelm any defense, though. The long-term hope is that the Internet will get better at keeping devices from succumbing to botnet malware in the first place. For at least the next few years, these attacks will be a major problem.