DDoS in 2017: Strap yourself in for a bumpy ride
2016 sucked. 2017 won’t be much better, sorry
DDoS attacks have been around since at least 2000, and they’re not going away. In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing.
Whole industries have developed around launching and preventing DDoS campaigns as black hats and white hats battle for dominance, and 2017 promises to be the most dramatic year yet in that conflict.
Here are some predictions about what’s likely to happen in the next 12 months.
Whale-sized attacks will increase
Historically, DDoS attacks have been relatively small: the majority of attacks – 93 per cent – are below 1Gbps in size, so when large attacks do happen, they tend to show up on the radar.
We’ve seen some monster attacks in 2016 – most notably the Mirai-based attack on Brian Krebs’ Krebsonsecurity site during September that caused Akamai to withdraw support, and the attack on Dyn in October.
These mega-attacks, totalling 100Gbps or more, are likely to increase in both number and size. In its Q3 State of the Internet security report, Akamai spotted a 138 per cent increase in attacks over 100Gbps.
Expect to see more of these, especially as attackers become more devious. New attack techniques applying the Lightweight Directory Access Protocol (LDAP could amplify DDoS attacks by 55 times, which could send already-mounting attack volumes into overdrive. Not only are we likely to see more mega-attacks, but the largest ones will push the envelope in size terms.
The IoT will become a bigger factor in DDoS
Expect to see the Internet of Things (IoT) play an important part in these attacks. Mirai, which warped DVRs into evil, traffic-spitting monsters, has already wreaked havoc in Liberia and across much of the rest of the web. And the software wasn’t even very good.
Forrester Research predicts that IoT compromises will escalate a notch in 2017, arguing that 500,000 IoT devices will suffer from a single compromise, dwarfing the Heartbleed bug of 2014.
The number of connected devices is going to increase greatly over the next few years, IDC estimates. It’s time for IoT equipment suppliers to sort out their device security, warned Kevin Lonergan, who heads up security research at IDC Canada.
“Attackers can easily gain access to these devices via unchanged default passwords and vulnerabilities in outdated firmware,” he said. “This problem is only going to get worse as connectivity is added to traditionally unconnected devices such as home appliances, cars, etc., by vendors who have little experience with creating secure code.”
Making consumers change their default configuration before an IoT device will actually work might be a good idea. The problem is that someone would have to regulate it, because vendors will be loath to do anything that introduces friction and increases customer support costs.
DDoS will overshadow ransomware attacks
As the volume of DDoS attacks increases, demand for mitigation services will increase exponentially. Nick Galletto, leader of Deloitte’s Canadian Technology Risk practice, believes that DDoS will take over from ransomware as a dominant risk to organizations worldwide.
“Even before the recent [mega-]attacks, we saw that many of our clients were experiencing some level of attacks that mostly flooded their network environment,” he said. The causes were multi-faceted, he said, adding that hacktivism played a part. Disgruntled employees were also found to have hired DDoS attack services in some cases, Galletto added.
Sub-saturating attacks will create a security vector
DDoS may take over from ransomware as a cause for concern, but it’s also worth pointing out that one may act as a diversion for the other. There’s a reason that the lion’s share of attacks operate on a relatively small (sub-saturating) scale: they could be distracting their targets while attackers compromise their systems. This has happened before. In 2015, attackers allegedly used a DDoS attack as a smokescreen to pilfer the personal details of 2.4 million customers.
Larger DDoS attacks often show up as a network accessibility problem, but companies will increasingly find themselves experiencing them as a security issue. These "dark DDoS" attacks are typically hard to detect, so companies will need to ensure that they have proper visibility over their network traffic to tease out attacks that could be an attempt to cloak something more insidious.
Extortion via DDoS on the rise
DDoS attackers are increasingly targeting companies for financial gain. Expect to see more DDoS threats in which attackers hold companies to ransom, warn experts. The DDoS mitigation firm Corero surveyed more than 100 IT professionals at the InfoSecurity Europe show in summer 2016, and found that eight in ten people expected their company to be on the sharp end of a DDoS extortion. Perhaps even more worrying is the news that 43 per cent of firms said they’d consider paying such a demand to keep their websites up and running.
These extortion attacks come from a variety of sources. The Amanda Collective was threatening companies as early as March 2016 (although its capabilities have been called into question).
DD4BC, which also uses bitcoin as the payment currency for its DDoS blackmail campaigns, has drawn the attention of Interpol.
DDoS-for-hire services will gain traction
DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack. Expect to see more of them. Why? Firstly, because they can be offered incredibly cheaply, and secondly, because there are still huge amounts of money to be made.
Often offered as ‘stressors’ – sites used to stress-test targets legitimately – DDoS-for- hire services don’t ask too many questions about whether a ‘tester’ has permission to target a site. Others openly offer DDoS services.
Stressors have been spotted in the wild offering these services for $5 an hour. In spite of the low fees, DDoSas-a-service providers can make a pretty packet.
When the British teeanager Adam Mudd was collared for offering such a service in November, he was said have made $385,000 from 1.7 million attacks against 1.7 million addresses.
DDoS-for-hire is going to ramp up. The IoT botnets, combined with an easy money-making opportunity, will bring more of this kind of thing in 2017. Sceptical? Well, there’s already a 400,000 strong IoT zombie army for rent, using the Mirai malware.
Some of these developments are brand new, while others chart future trends from current trajectories. One thing seems likely: if you think that DDoS activity made for a crummy, stressful 2016, then you’d better strap yourself in for the coming year.