DDoS Botnets are Back and Poised to Do Damage
DDoS attacks have been among the top cybersecurity threats in recent years, and have the potential to cause wide scale disruption of internet services. The massive attack on DNS provider Dyn in 2016 caused outages to popular websites like Twitter and Netflix and affected millions of users worldwide. Various other enterprises including financial institutions, video game companies, and news websites have fallen victim to DDoS and all had to weather downtime caused by the attacks.
Though other cyber-attack methods like ransomware and data breaches have taken the spotlight these past couple of years, the threat of DDoS still persists and stronger than ever. While better security solutions and anti DDoS techniques are now available to thwart attacks, hackers are still keen on tweaking their tools and techniques to continue causing harm.
DDoS is seeing resurgence as of late and the potential damage caused by these new attacks are also significant. Attacks of at least 100 gigabytes per second (Gbps) increased by 967 percentin Q1 2019 compared to a year ago.
DDoS and Botnets
Massive DDoS attacks have largely been made possible by botnets – swarms of malware-infected devices or “zombies” – that can be controlled by hackers to launch attacks on targets. Botnets essentially pool together the computing resources and bandwidth from zombies to overwhelm even the best equipped networks.
A SYN flood DDoS attack, for example, exploits the mechanics of the standard TCP protocol – the very protocol used for web browsing, email, and file transfers. During an attack, each zombie device on the botnet sends a SYN request to server. The server then acknowledges the request and sends back a SYN-ACK response. Conventionally, the device should respond with an ACK to establish the connection.
However, in a SYN flood, the zombies would not send this ACK response back to the server. Or, the malware could spoof IP address of the SYN request so that the server wouldn’t receive the response at all. This process is repeated across all zombies on the botnet. As requests pile up, the server would eventually run out of resources causing it to crash and prevent all other legitimate connections from being established.
The Mirai botnet, which has infected tens of thousands of wireless devices, network appliances, and IP cameras, is capable of performing various flood attacks aside from SYN floods. Its source code is readily available online which allows hackers to readily use or modify the malware to take over more devices. New variants have been detected making its rounds online and these are capable of compromising a wider variety of internet-connected hardware.
Potential Damage Increases
This year, a DDoS attack thwarted by security provider Imperva reached a peak rate of 652 million packets per second (Mpps). This is considered the most intense attack on record and is five times the intensity of the GitHub attack which is currently the biggest DDoS by data transmission.
Just this April, cryptocurrency wallet Electrum was also affected by a malware attack which turned devices on its network into zombies. Electrum users were prompted to install a fake update which infected their devices with malware. This not only made user devices part of a massive DDoS botnet, but the malware also stole cryptocurrencies stored in users’ wallets. Around 152,000 devices were said to have been infected while over $4.6 million in cryptocurrencies have been stolen by attackers.
Also recently, a threat actor who goes by online alias “Subby” was reported to have taken over 29 IoT botnets. While the combined size of the botnets are only capable of launching around 300 Gbps attacks, it can still be a significant enough threat to affect most networks.
These latest episodes of malware infection and DDoS attacks underscore how botnets remain a major threat to cybersecurity. The continued evolution of DDoS malware may soon result in botnets capable of pooling enough resources to launch attacks that will rewrite the record books once again.
Costs of Falling Victim are Still Significant
This has put enterprises back on edge as they’ve become quite wary of falling victim to DDoS. A single attack can cause downtime, loss of business, and negative perception – all of which can have significant impact on their operations.
Depending on the size of the enterprise, a DDoS attack can cost a business tens of thousands of dollars in downtime alone. In the UK, DDoS is expected to cost its economy more than £1 billion in damages in 2019 as downtime from each attack is estimated to exceed £140,000. Dealing with DDoS may also require other actions such as recovery, security audits, and public relations.
Because of this financial impact, DDoS has become a way to commit industrial sabotage. One can simply acquire DDoS-for-hire services on the dark web to cripple a target company’s online activities and cost them financially in the process. Hacktivists have also been known to launch DDoS attacks on corporate targets as means to protest or advance political agenda.
Implementing Security is a Must
Fortunately, the cybersecurity community has been actively improving means to mitigate DDoS attacks. Internet services are now investing on better infrastructure to have enough bandwidth and network capacity to weather DDoS attacks.
Security solutions like WAFs and DDoS mitigation have also become smarter. They now feature better algorithms to filter out malicious traffic. Crypto-based mechanisms are even being explored to combat DDoS.
But to lessen the threat of botnets, it’s critical for users to be more conscious of their own security. A major contributor to the explosion of botnets is the poor security of many devices. The market has recently seen a surge in cheap internet-capable devices, many of which have poor security features. Other users are also remiss in changing default administrator credentials on their devices which make it easy for malware spread across networks.
Protecting internet-connected devices should greatly help lessen exposure. Even actions like using more secure passwords and applying timely patches and updates could prevent malware from spreading.
The threat of cyberattacks and DDoS will continue to be present. So, everyone stands to benefit should computer users put in more effort to securing their devices and networks.