One Friday morning in October, internet users across both the U.S. and Europe sat in front of their monitors in confusion as most of their favourite websites seemed to be completely shut down or crippled to slower than dial-up speeds. Major sites like Twitter, Pinterest, Reddit, PayPal, GitHub, Etsy, Tumblr, Spotify, and more all seemed to be brought to their knees for much of the day on October 21, 2016.
The attack targeted Dyn, a company that provides other companies with the domain name system (DNS) infrastructure. Hence, it affected so many major websites at once. In a year packed with an increasing volume of cyber-attacks, the event turned out to be the largest distributed denial of service (DDoS) attack ever coordinated. And by every indication, DDoS attacks will continue to grow in frequency and strength and pose one of the greatest security challenges in the coming year.
The toll for businesses
A DDoS attack is one in which the attacker will overwhelm a site with so much phony traffic that legitimate users can't get through. Typically, infected computers called "botnets" will be used in a coordinated attack to flood the target.
From its more humble days in the mid-1990s, DDoS attacks have grown in both frequency and scale to become one of the most pressing problems for security teams today. According to Akamai, DDoS attacks increased 71 percent in Q3 2016 compared to Q3 2015. And Q4 2016 will likely see an uptick in attacks as the holiday season has long been characterised by an increased threat of attacks.
For over half of companies, a DDoS attack will cost up to $20,000 (£16,000, €19,000) in a single hour. And 49 percent of attacks last between 6 and 24 hours. But beyond the loss of traffic, even more repercussions threaten lasting damage to the company. Businesses could lose customer trust and confidence, they may suffer theft of sensitive customer data or intellectual property, or be forced to deal with costly and time-consuming hardware and software repairs.
Making their way into our smart gadgets
The particular cyber-attack on Dyn used a weapon called the Mirai botnet, which took over internet of things (IoT) devices to help it execute the attack. Unsecured gadgets like smart refrigerators and cameras could all have helped execute the attack that day. In September, the Mirai botnet was also responsible for a massive DDoS attack against the security blog Krebs on Security.
What's the biggest takeaway for everyone in the wake of these events? Secure your internet-connected devices so they don't turn into a weapon for the next attack. One of the easiest things you can do is to change the device's preset password. The fact that so many people don't change this password is the primary reason attacks using IoT devices can be so effective and large in scale. You can also find more advice for securing your IoT device provided by the U.S. Federal Trade Commission here.
Authorities step in to curb crime
Though DDoS attacks show no sign of abating anytime soon, it's not all bad news on this front. Earlier this month, Europol teamed up with law enforcement authorities from 13 countries and arrested 34 criminals in a massive coordinated sting of DDoS service buyers. It's the first time authorities targeted people purchasing DDoS-for-hire services with the intent of carrying out attacks on a target of their choosing.
As many of the suspects were young adults under 20, the effort aimed as much to teach youth about the dangers of engaging in cybercrime as it prevented attacks themselves. According to Steven Wilson, Head of Europol's European Cybercrime Centre (EC3), "One of the key priorities of law enforcement should be to engage with these young people to prevent them from pursuing a criminal path, helping them understand how they can use their skills for a more constructive purpose."