DDoS is not a new form of attack in and of itself, but methods and strategies around DDoS continue to evolve in the form of larger and more orchestrated attacks, said Paul Calatayud, CTO of FireMon.
"Often, the measure of the level of sophistication of a DDoS attack comes in the form of measured throughput. The attack details are not known in this particular attack, but recent attacks against [security researcher Brian] Krebs are reported to be upwards of 620 Gbps. That is a tremendous amount of data coming at a target at once."
What causes Calatayud to pause and reflect most in regard to this breaking news is that Dyn DNS is a DNS SaaS provider whose core job is to host and manage DNS services for its clients. "The impact and harm has a ripple effect attributed to the various clients Dyn services. As attackers evaluate their targets, and organisations run to the proverbial cloud for various reasons, it introduces interesting targets for the bad guys."
So, what can be done? First, evaluating dependency on cloud providers remains a risk you cannot outsource, said Calatayud. "Begin to plan for situations where cyberattacks against you may never be directed at you, but rather organisations you come to rely upon."
In the case of this attack and DNS, having a secondary DNS service operating at the same time may have mitigated the impact to organisations even when a primary provider goes down, Calatayud said. "Cloud governance becomes an element of a CISO security program.”
Will Gragido, director of advanced threat protection at data-loss prevention vendor Digital Guardian, agreed that DDoS attacks have become increasingly problematic over the last several years, particularly owing to the rise of botnets.
"Organisations all over the world fall prey to them as do individuals," he said. "In many instances, the underlying attack infrastructure is tied directly to botnets, a type of malicious code and content ecosystem family which the threat research and mitigation community has been attempting to mitigate globally for more than a decade."
Further, with the advent of the internet of things, Gragido said the potential for a botmaster to expand their botnet's size is now greater than ever before. "Increased size and diversity aids in not only allowing the botmaster to remain in business but also ensures that they are able to carry out their desired outcome when those resources are called upon to do so."
Organisations, he added, need to consider mitigative solutions (services or point products) designed to provide protection against complex, volumetric DDoS attacks on a global basis in order to withstand such attacks.
While this particular attack may not have been motivated by extortion, a new model of ransom-based attacks – infrastructure ransom-as-a-service (IRaaS) – could be on the horizon, motivated to pay off threats for fear of infrastructure-wide customer outages, said Thomas Pore, director of IT at malware incident response firm Plixer.
"An infrastructure outage, such as DNS, against a service provider impacting both the provider and customers may prompt a quick ransom payoff to avoid unwanted customer attrition or larger financial impact," Pore said.
Should a provider come under attack, customers suffering from the extortion impact may start looking to move their services to another provider capable of mitigating the attacks, Pore said. "This prediction model could suggest a greater financial impact from customer attrition than paying off a few bitcoin to avoid the attack to begin with."
Then what happens if these extortion attempts begin to arrive regularly? This may emerge into a new business model, with a consistent revenue stream, Pore said.
Mike Ahmadi, global director, critical systems security at major IT vendor Synopsys, said: “Despite decades of facing outages due to malformed traffic and data flooding, websites remain highly vulnerable to legacy attack vectors. Website providers need to constantly test their implementations with rigor in order to ensure that they can remain viable in an increasingly hostile environment."
The avalanche of IoT devices has created an environment where software and implementation flaws can be exploited at previously unseen levels, effectively turning them into widely distributed information weapons, Ahmadi said, adding that what may have been adequate robustness in the past no longer holds true.
As with most software designs from the 1980s, security was generally not considered when creating DNS, said Craig Young, security researcher at endpoint protection vendor Tripwire.
Rather, the infrastructure was originally designed for early networks like ARPANET to allow human-friendly names in place of traditional network addresses, Young pointed out. "Because the web is so dependent on this system, it becomes a very visible point of failure as is the case today with service provider Dyn. Without DNS, there is essentially no internet from the perspective of all but the most sophisticated users."
Young hopes that service providers will take this as a cue that they need to distribute their DNS across multiple providers to avoid this as a single point of failure.
“They're innovating," said Chase Cunningham, director of cyber operations at A10 Networks. "This is a new spin on an old attack, as the bad guys are finding new and innovative ways to cause further discontent."
It was an interesting point to see that the bad guys are moving upstream for DDoS attacks on the DNS providers, instead of just on sites or applications, Cunningham said.
“Threat actors are leveraging unsecure IoT devices to launch some of history's largest DDoS attacks,” said Cunningham. “The immediate solution is for manufacturers to eliminate the use of default or easy passwords to access and manage smart or connected devices."
Consumer adoption will be tricky, he admitted, but this change is critical for the greater security of all. "This response will hinder many of the global botnets that are created and deployed for malicious use.”
One thing is certain, Plixer's Pore added, DDoS attacks are not going away anytime soon.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
