Who shut down Finland?
In a world where everything is connected, ordinary devices can be hijacked and used for evil purposes. Two recent serious DDoS attacks using IoT devices have shown that we may need to adopt a new attitude to security.
Last Friday, many users of some of the largest Internet services in the world such as Spotify, Twitter, Reddit, Github, New York Times, and Boston Globe experienced a serious degradation of service. The reason for this problem, it appears, was a massive Distributed Denial of Service (DDoS) attack on the widely used Internet domain name service provider Dyn.
For security watchers, this is a logical continuum to events a few weeks ago when – hiding from the public eye – two of the largest Denial of Service attacks ever seen were taking place, one in the US and the other one in France.
A denial of service (DoS) attack, unlike a data breach, seldom generates mainstream headlines. This is because it only directly affects the target organisation. The general public only sees a temporarily unreachable web site or a slow payments flow in the system.
Unlike data breaches in the US – and soon in Europe due to the General Data Protection Regulation (GDPR) – there is also no legal imperative to disclose DoS attacks. Nevertheless, for the targeted organisation they often mean significant loss of business, trust, and reputation.
The attacks against Krebsonsecurity.com, a US based security portal and OVH, a French hosting provider in late September were the largest recorded DDoS attacks in history. They are also a grim prediction of what could be coming in the future. Both attacks were executed using a very large botnet of almost 150 000 hijacked IoT devices like webcams, CCTV cameras, Digital Video Recorders (DVRs), modems, and like.
Together, these devices bombarded their targets at a data volume comparable to the entire peak-time international Internet traffic of Finland, targeted at one company.
To add insult to injury, the source code of the Internet of Things (IoT) botnet ”Mirai”, used in the September attacks was released to the public domain after these record-breaking attacks. This means that one of the meanest Distributed Denial of Service attack tools is now available for all.
Going forward, we can expect many more massive DDoS attacks from a multitude of sources, from disgruntled employees and politically motivated actors to cyber criminals extorting money in exchange of not attacking a corporation.
So, what about companies in the Nordics? Are they prepared?
The short answer is yes and no. While some companies, especially those fully dependent on their web presence, have protection in place, most others have not. And even those who have probably cannot handle the extreme volumes and highly distributed attack strategies of tens of millions hijacked devices we are going to see in the future.
In the Nordics, according to public records at least, we have yet to see anything even closely resembling the attacks at Krebs, OVH, or Dyn. But even a much smaller attack can render a web storefront or a payment system unusable for extended periods of time.
And those who have experienced a serious DDoS attack first hand can testify it’s a messy affair. Not only is the attack causing harm to end users and partners unable to connect, but the noise created by a DDoS attack can also be used as an effective smokescreen to perform other malicious activities.
Moreover, a big attack not only distracts security teams from other ongoing threats, but also draws management attention to crisis management, away from actually running the business.
In many ways, because of their often transient nature and low public interest, DDoS attacks have maybe not received the attention they deserve in terms of having protection in place. The events of past month, however, may well serve as an early warning that the attitudes will have to change.
Read more about our approach to security here