In the aftermath of Friday’s massive DDoS attack against managed DNS service provider Dyn, a host of internet security firms are asking themselves a tough question: could we have done better or anything at all to mitigate the damage?
Last week, hackers armed with an army of infected computers and other internet-connected devices, including DVRs and security cameras, showed the capability to flood a segment of America’s internet infrastructure with artificially created traffic, causing several prominent websites to experience connection difficulties. The scale, magnitude, effect and timeliness of this specific attack made the incident particularly significant.
“New attack methods and increased Internet bandwidth give malicious actors the ability to generate larger-scale DDoS attacks. Now, more than ever, businesses must find ways to better protect themselves,” said Carl Herberger, Radware’s Vice President of Security Solutions.
Across the U.S., in the boardrooms of companies that provide DDoS mitigation services at various levels, the increasing prevalence of these next generation attacks has caused some to rethink their larger, internal business strategy, security experts tell CyberScoop.
“Though I won’t predict the demise of some of our smaller competitors, I do think these sorts of attacks will separate the men from the boys,” Imperva Incapsula Vice President Tim Matthews told CyberScoop.
Traditionally, the way to stop a DDoS attack has been to “buy or build a big box [hardware] and use it to filter incoming traffic,” but that approach limits the amount of traffic that can be scrubbed at one time for suspicious activity, explained Cloudflare co-founder Matthew Prince. Industry leaders, today, commonly leverage expansive cloud computing networks and specially tailored software that both redirects and helps filter the onslaught of internet traffic typical of a DDoS.
“What’s happened here, I think, is that the barriers to entry are becoming taller in this business,” Matthews explained, “if you’re focused on providing DDoS mitigation services in the future then you’ll need to control significant bandwidth to handle these larger attacks … unlike breach detection, DDoS mitigation is really expensive; the engineering talent and infrastructure needed to do it right is costly.”
Security researchers have been tracking the recent spread of a specific malware variant dubbed Mirai, which allows hackers to easily build up significant botnets using compromised IoT devices. The growth of Mirai and its consistent effectiveness against IoT devices, which are known to carry poor security protections, has led some to hypothesize that Friday’s attack is the new normal.
“These recent, large attacks are most likely a harbinger for what the industry will likely now face on a more regular basis,” said Akamai Senior Security Advocate Martin McKeay, “businesses that are in DDoS as a secondary or tertiary product line might start looking at it as an expensive and untenable product in the not too distant future.”
Very few internet companies outside of the likes of Amazon and Google can manage the overflow of traffic spurred by today’s largest DDoS attacks, Prince said.
In the past, just several years ago, the average DDoS attack was considered to be around 5 to 10 gigabytes in size — making the threat at least somewhat manageable for many enterprises’ in-house IT teams. Today, Imperva, Akamai, F5, Cloudfare, Radware and others in the mitigation market are regularly seeing attacks in the range of 500 gigabytes.
It is believed that the DDoS attack experienced by Dyn reached upwards of 1.2 terabytes.
Another unique aspect to the Dyn case is that the DDoS was aimed squarely at an upstream service provider, meaning that not only the direct target was affected but also the target’s customers that rely on it for DNS services, explained A10 Networks Director of Cyber Operations Chase Cunningham.
“The future of DDoS mitigation will not just be about more bandwidth and more people – while that will inevitably be part of the solution, particularly in the near term, this needs to be combined with longer term industry-wide efforts to implement preventative measures,” F5’s Preston Hogue, director of security marketing and competitive intelligence, told CyberScoop.
He added, “There could be potential ways to address vulnerability through regulation for example. We can also look at ways to fingerprint or block compromised IoT devices, or develop an effective mechanism that allows for rapid push of patching or, if needed, massive product recalls.”