In August last year, Brian Krebs’ website, KrebsOnSecurity, came under several massive DDoS attacks. The attacks led to the shutdown of the site after all security measures failed.
For most people, the above paragraph packed a lot of information they have no idea about or even care about. It is wise to care about DDoS attacks even if you’ll never be targeted directly as these attacks could potentially bring down the Internet and subsequently cause catastrophic damages to our way of lives. This is not an exaggeration.
First though, who is Brian Krebs? Why was his website targeted and what are DDoS attacks?
What are DDoS attacks?
Basically, Distributed Denial of Service (DDoS) attack attempts to make access to a website impossible by sending massive junk traffic at the targeted website.
Take your basic website for example. People access the site freely through the Internet. Depending on the resources of the website, it can only handle a certain number of traffic simultaneously.
Beyond that threshold, the website begins to slow down. Ultimately crashing under the weight of too much traffic. This rarely happens to websites except something unusual happens to spike the number of visitors to the website.
That is what DDoS attacks simulate. They blast a website with a huge amount of illegitimate traffic making it impossible for legitimate visitors to access the website. If sustained, the website would have to be shut down.
He is one of the top independent Internet consultants or researchers (also known as white hat hackers) in the world. He is known for pointing out weaknesses on the Internet and on websites as well as proferring solutions to them.
The big firms, tech companies, and security agencies listen to people like him a lot.
It was no mean feat for a DDoS attack to bring down the website of a top Internet Security consultant. That just underlines how serious these attacks are.
Getting even with Brian Krebs
A few weeks before KrebsOnSecurity came under DDoS attacks, Brian Krebs exposed two Israeli teenagers who sell DDoS services to anybody interested.
It was a big business for the kids and their allies around the world. People use their services to bring down websites. For instance, a rich man can hire them to direct DDoS attack at a particular website.
His grievance against the website could be anything from shutting it down to prevent damaging information about him getting out, to payback for something as mundane as refusing to sell the website to him.
The exposè by Brian Krebs led to the arrest of the teenagers by the FBI. So it was not coincidental that his website came under DDoS attack a few days later.
That attack was clearly a warning message to the likes of Brian Krebs to stay away. It was a direct and unambiguous message from the attackers that nothing can stand in their way.
A powerful warning shot
A couple of months later, in October last year to be precise, the DDoS initiators showed the world what they were capable of. They brought down Dyn, using an unprecedented massive and sustained DDoS attack.
A word on Dyn: This US-based firm, a subsidiary of Oracle, owns one of the biggest domain registration servers in the world. Many important websites are registered there.
In that attack, websites like Netflix, Reddit, Spotify and Twitter crashed. Millions of people around the world could not access these websites. Many more companies lost valuable information stored in their servers hosted by Dyn.
Though Dyn was up and running after a few hours, the loss to people, companies, and websites ran into millions of dollars.
News circulating on the underground web claimed this was just a test run. Chew on that for a while.
How interconnected devices aid DDoS attacks
Schematics of DDoS attack
One would think the scale of the Dyn DDoS attacks was carried out by people with massive resources. Actually, all they need are three things:
- The knowledge on how to do it (good hackers can learn that easily and freely online)
- The software, known as Mirai, which is freely available on the dark net and
- IoT devices, also known as interconnected devices.
Interconnected devices are increasingly becoming a daily part of our lives. Most of them are plug and play devices needing no complicated setup to get them working.
Examples of IoT devices include:
- popular products like the Amazon Echo and Google Home, two smart assistants that are changing the way we connect to the Internet.
- Smart cars like Tesla motors. Many other companies are going the way of smart cars e.g., Renault’s R-Line
- Wearables like smart wrist watches and T ( ‘T’ for tech) shirts like the ones made by Ralph Lauren
- Home appliances like bulbs, fridges, TVs, sound systems.
There are literally millions of these devices just waiting to be at the service of DDoS attacks.
Since most of these devices are plug and play, these hackers can easily get the default passwords from the manufacturers” website, hijack them and use them for their attack.
When thousands of these devices have being hijacked, they are strung together by Mirai to form a network controlled by just one computer in the hackers den.
Simultaneous signals are now directed at the unfortunate website and sustained for a period of time. The higher the number of devices in the network, the easier it is to bring down a website.
The scary part is, connected devices are still in their infancy. Millions more would come online in a very short time. Invariably, geometrically escalating the number of devices that can be strung into a DDoS attack hub.
In one sentence: it is going to be easier to initiate bigger DDoS attacks in the future.
Preventing DDoS attacks
When KrebsOnSecurity was attacked, only Google’s Project Shield was able to provide help by protecting the attack from reaching the website.
Project Shield was created specifically by Google to prevent DDoS attacks on websites. However, their services are only limited to websites that are not for profit and provide valuable public service to the public.
If you think your website fits that profile, you can go to the Project Shield website and register with them. It is free.
For the rest of the world though, Project Shield cannot help out. The best way to mitigate these attacks include
- Making sure we change the default passwords of the smart devices we buy. Preferably, use long passwords.
- Companies making IoT gadgets and devices need not be educated on the imperative of securing their data. This is very important as getting the default password of just one device is the key to hijacking millions of other devices
- Security agencies must shelf ideological differences. This is a crime that respects no borders or politics.
These measures would not completely eliminate the ability to initiate DDoS attacks (there would always be people who are too careless with their devices and companies whose pursuit of profits doesn’t include investing in online security), but large scale attacks like the one on Dyn might become just a footnote in the world’s history.