Ugly Step-Child: Reporting on DDoS Attacks Drops While Attacks Surge in Frequency and Volume
Often when something being described is neglected, people label it the “Ugly <insert pejorative here> step-child”, implying that that it will never have the attention of something more important. 2018 has been an absolutely wild year in Information Security (InfoSec), mainly focusing on speculative attacks, such as Spectre, Spectre Prime, Meltdown, plus its variants. Coming in a close second is cryptojacking with campaigns using unsecured Kubernetes servers, vulnerabilities in Apache Struts, Drupel, and improperly configured routers to name a few. It was just two years ago in 2016 when the internet saw a first-of-its-scale 665 Gbps sustained DDoS attack against security blog Krebs On Security and quickly followed by the internet-backbone-smashing 1.2 Tbps sustained DDoS attack against DynDNS that took down Netflix, Okta, AWS, and Twitter.
In largely unnoticed and underreported attacks in early 2018 saw a record 1.35 Tbps attack against GitHub and a 1.8 Tbps attack against a US-based service provider. At the time of these attacks, security researchers believed that DDoS attacks were reaching the sophistication and scale to cause an Extinction Level Event (ELE) that could potentially take down the entire internet. Part of the reason the attacks went underreported was that companies actually learned from Krebs and DynDNS in 2016 and learned to adapt and implement security controls to limit the impact of such attack types. For example, the attack against GitHub utilized a reflective DDoS attack leveraging the memcached process to achieve an amplification ratio of 51,000:1. DDoS protection company CloudFlare was able to intercept most of the malicious traffic and scrub it for memcached packets and drop them before they reached their intended target, GitHub.
Earlier this month, DDoS protection company NexusGuard released a research report showing that from Q1 and Q2 of 2017 compared to 2018, 2018 saw a 29% uptick in the quantity of DDoS attacks and an internet-breaking 543% increase in the average attack size making the new average DDoS attack now 26.37 Gbps, up from 4.10 Gbps in 2017. That means that an organization with dual 10Gbps links in active/active would still be no match for the average DDoS attack in 2018. Based on conversations I have with customers, prospects, and other individuals in the security industry, these attacks would successfully knock most of them offline without the benefit of any mitigation or protection controls.
The reason for the surge in quantity and size of attacks should be of no surprise to followers of my blog. Insecure IoT devices are mostly to blame for the rise in DDoS attacks. IoT botnets such as Mirai (of DynDNS fame), Satori, Anarchy, and Reaper are constantly being reconfigured and reprogrammed to infect more and more vulnerable devices. Security research is always a double-edged sword, which uncovers security vulnerabilities giving companies and users the ability to patch them while also exposing the vulnerabilities to attackers. Attackers are using vulnerabilities in devices such as MicroTik, D-Link, and GPON Dasan, to increase their botnet armies for use in DDoS attacks. The combination of vulnerability disclosure and an average user’s inability or lack of knowledge to update an infected device means the problem will get much worse before it gets better. This problem will also be exacerbated as long as insecure IoT devices lack a self-updating mechanism. For those in the security industry, when was the last time you checked for an update on your home router? When was the last time your parents/brother/sister/son/uncle/aunt checked for and applied a security update for their home router? I would bet a very large amount of money that there are far fewer people who patch on a regular basis than those who do.
Another explanation that should also come to no surprise to my blog followers is that the world of cyberterrorism, like the world of real-world terrorism, is subject to the law of natural selection. All of the cyberterrorists that were sloppy or failed basic OpSec have been killed or captured and the only ones remaining are very difficult to track and stop. Security blogger Brian Krebs has a nice wall of shame listing out the capture and shutdown of major players in the DDoS-for-hire space, a major source of these attacks.
The State of California recently attempted to fix this problem legislatively by passing a law that requires IoT devices manufactured and sold in California after the year 2020 to have one of two very basic, but important security principals:
If the device uses a default password, the password must be unique to each device or
The device must prompt users to set up their own password whenever the user sets up the device for the first time
Either one of these measures would be huge step forward in securing IoT devices. Microsoft’s Azure Sphere platform also looks promising with the self-updating mechanism baked into the very silicon the device is built upon. Lastly, practicing basic security hygiene such as changing default passwords and blocking unused inbound ports/protocols will also prevent exploitation of vulnerable devices. Users of an outbound security proxy will also have the ability to scrub and block any communication with Command and Control (C2) servers often used to direct major DDoS attacks.