On Friday Oct 21st 2016 we witnessed an extremely powerful DDoS attack against Dyn that led to
the disruption of some of the world's most used Internet services including Netflix, Amazon and Salesforce.com.
This attack on the Domain Name System or DNS, which is sort of a Phonebook for the Internet,
was not more sophisticated or coordinated than other smaller scale attacks.
The target for this attack was chosen very wisely as Dyn is a linchpin for hosting services and major providers for companies like Netflix or Salesforce.
That said, there is nothing surprising about the ability for attackers to scale their DDoS for this type of carnage. There were two dimensions used to amplify the DDoS bandwidth we have witnessed:
1. The availability of higher speed internet service providers used by the hosts in the attack. Whether at home or through cellular networks the upload bandwidth increases the capacity of a single participant device significantly. In the past few years it's reasonable expect cellular rates and home Internet bandwith upload speed of 100 Mbits/second. Meaning with 100 hosts you could rival most carriers in terms of speed and the scales tip in the attackers favour.
2. The (very) weak security around smart network connected devices and mobile platforms. This contributed to a significant increase of number of devices participating in botnets used in DDoS attacks like this one. This is where the increasing trend in weak IoT devices begin to pose the threat promised by analysts during their adoption at home and office networks.
It is safe to assume that over the next couple of years the DDoS attacks will be more frequent and grow more powerful as the bandwidth capabilities of companies offering DDoS protection service may not increase by the minimum amount required to stay ahead of the game.
These are not doomsday predictions, but a sign that the game plan in DDoS protection should shift its focus from increasing the pipe to protecting consumer endpoints against malicious threats such as malware and network access control on a wider scale from providers and networks across the country.
This year the security industry will increase in size on average 25% and has put emphasis once again on endpoint protection, realizing that an actual end-user device has been left behind in the security evolution. Unfortunately, this is happening too slow and too late and not at a large enough scale. Advanced endpoint protection has only begun making its way into large enterprises and is cost prohibitive and often unavailable on the consumer level leaving us open to repeat attacks like the one last week.
In addition, the current products still focus more of traditional desktop OS and less on mobile and IoT devices. IoT devices present bigger threat because of pure volumes and traditional open source and rapid software development approaches to the manufacture of these devices. Consumer education is also lacking, with most of IoT user not realizing the security threat behind the devices they connect to home networks and Internet.
Before the effective endpoint protection solutions will reach critical mass and be adopted by the consumer it will be up to Internet Service Provides to become the front line of defence against DDoS in the future. The fight is about decreasing the number of infected devices participating in botnets not shifting bandwidth inbound to blackholes. As seen with Krebsonsecurity some DDoS providers such as Akamai and Lastline cannot sustain a true targeted high-bandwidth attack forever, they are temporary mitigations which can still leave networks vulnerable. This means a service provider will need to police customers and connected devices with a solution, similar to a modern NAC, where a permission to connect to a network or Internet will be granted only to devices that have acceptable minimum security configuration and a capability exists to disconnect devices from the network based on indicators of compromise.
While the approach may seem radical and will not be accepted by any freedom of communications proponents, this is the only logical solution in fighting malware infections in the same way as government forces vaccinations to reduce health risks to the public. This is the next move in DDoS war is shifting the front line form the business to the consumers telecommunications providers. They will define whether we can win this battle in the recent future. We continue to invest in our IntelliGO technology to drive down the cost and complexity in finding and mitigating insecure device access without all-out denial of network connectivity. Our CEO, Khaled Mansour covers this more in his article and road trip to China Here