Dave Larson, CTO/COO, Corero Network Security
Dave Larson, CTO/COO, Corero Network Security

2016 marked a turning point for DDoS, as attacks reached new heights in terms of both size and complexity. The Mirai botnet showed us just how powerful an Internet of Things-powered DDoS attack could really be, with the unprecedented onslaught against DNS provider Dyn on 30 September. Overnight, the security considerations around connected devices went from being something that security consultants have long warned about, into a hot button issue that could no longer be ignored. But how could this threat continue to evolve over the coming year? Massive, Terabit-scale DDoS attacks will likely become the new normal in the year ahead, with far-reaching implications and the potential to impact the internet backbone itself. So how exactly could this take shape, and how can organisations best protect themselves?

The Mirai attacks were transformational in terms of size – never before have we seen such large-scale attacks in open view. But this could just be the tip of the iceberg. The majority of IoT devices have such little security in place, with simple default passwords, that they are effectively sitting ducks, just waiting to be compromised and enslaved into a botnet for use in DDoS events. In terms of its size, the Mirai botnet is currently believed to have a population of around 300,000 internet-connected devices, but its population could increase significantly if hackers amend the source code to include root credentials for other types of vulnerable devices. Gartner predicts that there will be 21 billion IoT devices in use by 2020, so there is really no limit to the scale of future attacks.

However, while Mirai is certainly fearsome in terms of its size, its capacity to wreak havoc is also dictated by the variety of DDoS techniques it employs. There are currently around ten different attack vectors contained within the Mirai source code, but this could increase significantly this year as attackers develop new methods, and then make them open source and available for anyone to leverage. In October 2016, the Corero Security Operations Centre warned of an extremely powerful new zero-day DDoS attack vector, which utilises the Lightweight Directory Access Protocol (LDAP), and has the potential to amplify attacks by as much as 55x. If potent attack vectors like this are added to botnets like Mirai, it's easy to see how Terabit-scale attacks could occur increasingly frequently next year, with widespread implications. Internet availability in major geographic regions or even entire countries could be impacted significantly. With individual DDoS attacks typically costing large enterprises US$ 444,000 (£357,000) per incident in lost business and IT spending, the combined economic impact from an entire region being affected would be extremely damaging.

These increased threats will mean that defending against DDoS attacks will become a top security priority for any organisation that relies on the Internet to conduct business. Following the Mirai attack against Dyn, ‘taking down the internet' sounds less like a prediction from Bruce Schneier and more like reality. Our entire digital economy depends upon access to the internet, and so organisations will need to think carefully about business continuity in the wake of such events. For example, it may be prudent to have back-up telephone systems in place to communicate with customers, rather than relying solely on VOIP systems, which could also be taken down in the event of an attack.

So how can organisations defend against such attacks? In preparing a robust defence against botnets like Mirai, it's important to consider how they work. Effectively acting like a giant cloud computer, botnet-driven attacks are launched and then disappear without leaving enough information for victims to trace its origins. This leaves organisations really no choice but to defend themselves at the edges of the network. Legacy out-of-band scrubbing solutions, which require human intervention and reactive countermeasures to remove the attack, will not be successful, and using such systems will also allow hackers to experiment on your networks undetected, finding vulnerabilities and testing new methods through smaller, hidden attacks that don't meet the threshold for scrubbing.

The only proper defence is to use an automatic, always-on, in-line DDoS mitigation system, which can monitor all traffic in real-time, negate the flood of attack traffic at the internet edge, eliminate service outages and allow security personnel to focus on uncovering any subsequent malicious activity, such as data breaches. This type of in-line, always-on protection can come in various forms – either on-premises, or purchased as a security service from an upstream provider. It is only through deploying these real-time solutions that organisations will be able to identify and mitigate the most serious botnet-driven DDoS attacks on their networks in the years ahead.

Contributed by Dave Larson, CTO/COO, Corero Network Security