It sounded like something from a Sci-Fi thriller, but it was all too real. Several popular Internet websites were taken offline during a massive DDoS (Distributed Denial of Service) attack. The attackers used unprotected IoT devices like surveillance cameras, DVR’s and printers with weak security settings. Among the websites and services affected on Friday were The New York Times, Twitter, Spotify, Reddit and even the BBC.
DNS firm Dyn in New Hampshire was the target for this epic cyberattack. Dyn’s clients were out of service for about two hours on Friday. After the websites went back online, millions of users around the world went to Twitter to vent.
Millions of IP Addresses, Involved in The IoT CyberAttack
After getting the situation under control, Dyn reported this was no amateur attack. Initially, their engineers detected 10s of millions of IP addresses involved, across multiple attack vectors and internet locations. A subsequent report assigned the attack to 100,000 malicious endpoints infected with Mirai malware. According to a Dyn news release, the attack generated compounding recursive DNS retry traffic, further exacerbating its impact, and some areas reporting a magnitude in the 1.2 Tbps range.
The Mirai Malware was involved in another large scale attack last month, when a DDoS attack took down KrebsOnSecurity, the website of security researcher Brian Krebs. Since then, the creator of this tool has released the source code online, which has led to a surge in Mirai-related incidents.
The recent attack is likely to give the chills to consumers concerning smart home devices. Research shows IoT devices are increasingly more popular, but users are still feeling uneasy about them. But more than that, it should serve as a lesson to business continuity experts, as they build their checklist of things to be ready for, adding IoT into the mix.
Business Continuity Planning: Preparing For a DDoS Attack
A lot of the planning in business continuity is built around “what data can you afford to lose?” But with cyberattacks, the burning question about how to get services back online as soon as possible. Any IT consultants and managed services providers that shepherd business networks now need to take into consideration IOT security and DDoS attack mitigation, when planning for disaster.
DDOS attacks are a nuisance, as they take services offline, but they cause other issues as well:
- Reputation damage;
- Lost revenue (in eCommerce);
- Customer dissatisfaction;
- Legal repercussions.
Cybercrime is the fastest growing cause of data center outages, accounting for 22% of incidents in 2016, show statistics. And while cybercrime is getting bigger, business owners need to get smarter about security and business continuity, to make sure they stay offline even in the most dire situations.
Preventing a DDOS Attack
For business continuity planning, there are two major strategies regarding DDoS attacks: one is prevention, and the other is creating an incident response plan. Both have been covered extensively here on the Recovery Zone.
Networks must be password-protected. A 2016 report from security firm ESET shows that weak passwords continue to pose an important security risk. So make sure passwords are not “pass123“, and that absolutely no passwords are stored online.
Protection for smart devices. Gone is the era where a server and a few desktops were the company network. Today, a fleet of laptops, mobile devices, and even cameras and printers are the “new network”, all with a connection to the Internet. And all of these can become army of botnets by DDoS attackers. Having a plan to secure these devices is a must.
Setting up a firewall is good protection against attacks – as the saying goes, good fences make good neighbours. Veteran IT professionals will set up a firewall separate from the router, to keep it off the network and make sure its only concern is protecting from attacks. Some will even set up multiple firewalls throughout the system.
RRL server defence– this is one very efficient way of mitigating a DDoS attack, and it consists of setting up a response rate limiter on a DNS server. Normally, you would need thousands of infected PC’s to get pass an RRL system, however the latest attack involved many, many more. This was truly a worst case scenario, where there are multiple attacks from several locations.
Image via GIPHY
Incident Response Strategies for DDoS Attacks
Incidents like the one on Friday show that no preventive measures will be 100% effective. To properly protect a business from outages, IT professionals and managers need to have a solid business continuity strategy and to know the when, where, and how to respond. As usual, the best defences lie in the network administrator’s know-how and experience. Great IT consultants will know how to:
Correctly identify the DDOS attack. Some of the signs will be: unusually slow network performance, websites unavailability, or a dramatic increase in spam emails received.
Ask for help from the ISP. Internet Service Providers will most likely detect a DDoS attack even before it affects a target. They will be able to filter the bad requests made to the attacked website, and send through only legitimate requests from users. Most contracts with ISPs will cover this type of situation, so smart IT professionals will know how to leverage this.
Blacklist, whitelist. Knowing who your friends and your enemies are is good information. You can use this tactic in filtering out your Internet traffic as well. Whitelisting your most important customers will make sure they have priority when the traffic to your website is high. And blacklisting known malicious traffic will help keep it away.
Use cloud services to keep businesses running. Businesses can use cloud-based web servers to handle the overflow in traffic, in case of heavy usage.
As always, prevention beats poor performance. Let us know if you know of any other good tactics to prevent DDoS attacks.