In recent months the world has witnessed the rise of new, significant high-volume distributed denial of service (DDoS) attacks. With 2016 nearly in the rear-view mirror, at Corero we are preparing for a very busy year ahead. Our threat predictions for 2017 include:
- Terabit-scale DDoS attacks will become the new norm, impacting ISPs and the Internet backbone itself
- Novel zero-day reflection and amplification attacks will appear with more frequency, enabling more sophisticated and targeted attacks
- DDoS attacks will become a top security priority, with increased disruption to businesses and government due to rising threat levels.
The Mirai botnet, which was responsible for a string of attacks in recent months, including the DDoS attack against DNS provider Dyn in October, will continue to evolve as hackers take advantage of the millions of poorly-secured, Internet-connected devices currently in use worldwide. In terms of its size, the Mirai botnet is currently believed to have a population of around 300,000 compromised devices, but its population could increase significantly if hackers amend the source code to include root credentials for other types of vulnerable devices.
Corero predicts that the Mirai botnet will also become more complex in 2017, as hackers evolve and adapt the original package, equipping it with new DDoS attack methods. Mirai is currently believed to contain around ten different DDoS attack techniques – or vectors – which can be utilized by hackers to initiate an attack. We believe this will increase during 2017 as attackers develop new methods, and then make them open source and available for anyone to use.
While the Mirai botnet is certainly fearsome in terms of its size, its capacity to wreak havoc is also dictated by the various attack vectors it employs. If a variety of new and complex techniques were added to its arsenal next year, we may see a substantial escalation in the already dangerous DDoS landscape, with the potential for frequent, terabit-scale DDoS events that significantly disrupt Internet availability.
The motivations for DDoS attacks are endless, and the range of potential political and economic fallout from such attacks could be far-reaching. Our entire digital economy depends upon access to the Internet, so organizations should think carefully about business continuity in the wake of such events. For example, it may be prudent to have back-up telephone systems in place to communicate with customers, rather than relying solely on VOIP systems, which could also be taken down in the event of an attack.
As an example of the pace of change in the DDoS landscape, the Corero Security Operations Center recently warned of an extremely powerful new zero-day DDoS attack vector which utilizes the Lightweight Directory Access Protocol (LDAP), and has the potential to amplify attacks by as much as 55x.
Certainly the Internet community needs to prepare for potent attack vectors like this to be added to botnets like Mirai. The combination of zero-day DDoS vectors, Mirai delivery mechanisms and attacker ingenuity would seem to indicate that Terabit-scale attacks could occur more frequently next year and internet availability in states, major geographic regions or even countries could be impacted significantly. Individual DDoS attacks, on average, cost large enterprises $444,000 per incident in lost business and IT spending, so the combined economic impact from an entire region being affected would be extremely damaging.
ISPs Must Play a Role in Reducing DDoS Attacks
In the wake of recent IoT-related DDoS attacks many have encouraged manufacturers to install proper security controls on internet-connected devices before they are issued. That’s a step in the right direction, but ISPs also have an important role to play in reducing the number of future DDoS attacks.
At a local level, ISPs could significantly reduce the overall volume of DDoS attacks across their networks by employing systems to detect and remediate infected bots that are used to launch DDoS attacks. Furthermore, they can leverage best practices such as ingress filtering to remove the problem of spoofed IP addresses that are widely used in reflection DDoS attacks. This simple improvement to service provider hygiene would be a great initial step towards reducing the overall volume of DDoS traffic. These steps can’t protect against the full spectrum of DDoS attacks, but they would speed up the global response to attacks.
ISPs will find themselves at an important crossroads next year. By working together with governments and the international community, ISPs can strengthen the underpinning infrastructure of the Internet and significantly reduce the volume of malicious traffic flowing across their networks.
It is human nature to reflect on the past and wonder about the future. The good news is that the Internet community is paying attention and network operators, in particular, are actively looking for ways to address this issue. From the conversations I have been having, I see good reason to be optimistic and I am hopeful that the number of volumetric DDoS attacks in two or three years’ time will be significantly reduced through the combined efforts of ISPs, device manufacturers, security vendors and even government entities. As the IT security community rallies together to better protect the integrity of the Internet, we may make tremendous progress in defending against DDoS attacks.