Service denied! The new cybercriminal attack that can take down the world's largest websites

Gridlock: what if web traffic jams created by cybercriminals looked like our morning commutes?

Debilitating denial of service website attacks have become a major challenge for organisations – and the problem is set to escalate.

By David Braue

Think for a moment about a route you drive frequently. Now imagine what would happen if someone changed the traffic signs to redirect a highway’s worth of traffic down one laneway. The gridlock would be the stuff of nightmares.

Industrious cybercriminals have been causing the internet’s equivalent of this problem by targeting online businesses with distributed denial of service (DDoS) attacks. These attacks render victim websites inaccessible by inundating them with so much data that their internet connection can’t cope. Essentially, they turn the internet against itself.

The most popular technique is for an attacker to request an update from another online system – for instance, the Network Time Protocol (NTP) system used by every website to update its clocks – and to trick that system into sending its reply to the computer running, say, the Australian Taxation Office (ATO) website.

The ATO would ignore the incoming data – but a big enough torrent of traffic would eventually leave little room for anything else trying to get to the website.

By using malware to remotely unify hundreds or thousands of computers into massive “botnets” that all do the same thing at once, hackers have taken down some of the world’s largest websites.

DDoS attacks are on the rise

These attacks are growing in size and number. Recently Akamai, a major network services firm, flagged a 138 per cent year-on-year jump in what it calls DDoS “mega attacks” involving more than 100 gigabits per second (Gbps) of traffic. Such traffic is 10,000 times the capacity of the typical business internet connection. Akamai’s report says the average DDoS target organisation was hit by 30 separate attacks during the third quarter of 2016, with the worst-affected target hit 427 times in that three-month period.

“Defending networks from data breaches has become one of the single most challenging hurdles for organisations to overcome today,” says Wendi Whitmore, a security expert who was recently appointed to lead IBM’s X-Force Incident Response and Intelligence Services (IRIS) team as part of that company’s US$200 million investment in new cybersecurity capabilities.

“Australia’s 2570 DDoS attacks in the 2016 September quarter represented a 40 per cent jump.”

“No matter what business they operate in,” she adds, “our clients really face the same challenges on nearly a daily basis – especially with DDoS attacks. It’s less expensive for attackers to wage these attacks, and much more expensive for businesses to effectively defend against them.”

IBM knows the cost of DDoS attacks firsthand: the company was recently criticised in a review of the 2016 eCensus disaster in which the highly promoted eCensus website suffered a series of DDoS attacks. IBM ran the site for the Australian Bureau of Statistics (ABS). The 40-hour outage – blamed on poor communication and DDoS management processes in a post-mortem released in November 2016 – ultimately cost IBM more than A$30 million in damages.

It harmed the ABS’s reputation so badly that in a post-census survey, 33 per cent of respondents said the census results couldn’t be trusted.

Such incidents highlight just how rapidly the DDoS threat has evolved from a technical concern to a fully-fledged business risk. That’s particularly true in Australia, which DDoS specialist Nexusguard recently named as the Asia-Pacific region’s second most targeted country (China was number one). Australia’s 2570 DDoS attacks in the 2016 September quarter represented a 40 per cent jump over the previous quarter.

Professional Development: Top tips to combat cyber attacks (webinar): This webinar will help you with strategies to help prevent cyber attacks, limit the extent of cyber crime incidents and mitigate the cost of these attacks.

The latest bad guy? Mirai.

Refinements to DDoS techniques are rapidly escalating the threat. In 2015, the largest DDoS attack ever detected weighed in at 149Gbps of traffic. In 2016, mega attacks passed the 1-terabit (1000Gbps) threshold.

The burgeoning size of the attacks is due largely to a worrying new technique called Mirai. Mirai builds massive botnets by reprogramming small internet of things (IoT) devices, such as internet routers, security cameras, sensors, alarms, drones, cars and even simple home and business appliances.

This has made Mirai frighteningly effective in attacks, such as the one in October 2016 targeting internet infrastructure provider Dyn that took clients such as Netflix, The Guardian and CNN offline. It’s the strongest DDoS attack yet recorded. Other reports suggested Mirai had effectively taken the entire country of Liberia offline for a time, two weeks after the Dyn attack.

Technology research firm Gartner pegged the total number of IoT devices at 6.4 billion in 2016 and expects this to grow to 20.8 billion by 2020, at which point more than half of major new business processes and systems will incorporate IoT features.

“It’s less expensive for attackers to wage these attacks and much more expensive for businesses to effectively defend against them.”

Mirai is freely available online and is credited with infecting over 490,000 IoT devices, which are renowned for their poor security. At the August 2016 DEF CON hacker conference in Las Vegas, researchers highlighted 47 new security vulnerabilities affecting 23 IoT devices from 21 manufacturers.

A recent report from security firm Zscaler singled out the threat from security cameras, which are capable of transmitting large volumes of video data. If a substantial number of those cameras are tricked into flooding a website with data, that site won’t stay online for long.

All signs suggest DDoS attacks will get worse. It has become so easy to launch a DDoS attack against a business rival, that readily available “DDoS as a service” sites will do the dirty work based on nothing more than a nominal credit card payment. It’s little wonder that security specialists have flagged IoT as a game-changer, with Nexusguard chief scientist Terrence Gareau advising companies to “completely rethink their cybersecurity strategies”.

How to counter the problem

There are ways to fight back. Many internet service providers, for example, offer DDoS blocking to stop such attacks before they get near your business. Simple changes such as resetting default passwords can prevent Mirai from commandeering your IoT devices. Third-party security providers can kickstart a response before you’ve even picked up the phone.

Nonetheless, hackers have proven remarkably adept at circumventing new defences. As the government’s census review found, many companies are far less prepared to handle debilitating DDoS attacks than they believe.

For businesses that depend on being available online, growing risk has made further inaction on DDoS attacks simply untenable.

Read next: How to protect against the new malware threat

Like what you're reading? Enter your email to receive the INTHEBLACK e-newsletter.
February 2017
February 2017

Read the February issue

Each month we select the must-reads from the current issue of INTHEBLACK. Read more now.