What happened to the internet last week and what could it mean long term?
(originally published in Corridor Business Journal, 11/9/2016)
On an early Friday morning one of the mainstay internet infrastructure companies was attacked by ten million devices. The target was DYN, an organization responsible for managing much of the traffic for internet giants like Amazon.com, Verizon, The Wall Street Journal and Starbucks. This attack was executed using a Mirai botnet - a collection of baby monitors, DVR's, digital cameras and printers. There were multiple phases to the attack, and the impact was felt by almost everyone using the internet in the United States over the day. As of today, it was the largest and most devastating Distributed Denial of Service (DDOS) attack on record.
There are several groups that have claimed responsibility for the attack, including both Anonymous and New World Hackers. The initial investigations released seem to support these claims, and thankfully it looks as if the Russian government may not have been involved. In some ways, this is even more disturbing.
The truly frightening aspect of this attack is that it doesn't seem to be the work of a well-funded nation state or a rogue nation. It may well be the work of a few hackers or "script kiddies" that used the now-publicly-available Mirai toolset. Anyone with an internet connection and a reasonable set of computer skills can download this tool and use it to wreak havoc.
The military refers to this threat as asymmetric - a few actors can take up the resources of a much larger force. The Dyn attack required the work of numerous companies, hundreds of employees and thousands of hours of concerted effort to defend against what may have been just a handful of hackers.
While there's little that organizations themselves can do to defend against such an attack, the key lies in preparation. Companies can contact their internet service providers and website hosting providers and ask to see a copy of their DDOS response plan. This plan should be firmly in place, and the organizations on which companies depend should have active testing programs to confirm the integrity of their plan.
Additionally, organizations would be wise to prepare an incident response plan themselves. This plan lays out who is involved in a response, a communications plan, a relationship with a third-party team of security experts, and a series of steps for managing many of the most likely scenarios.
Lastly, there are several methods of detecting and mitigating DDOS attacks using software solutions. This may be primarily for larger organizations, but an active monitoring system that can dynamically re-route traffic can be an important step in protecting cloud and physical infrastructure in multiple locations.
These threats aren't likely to disappear, and history would tell us that when the DDOS quandary has been solved a new threat is just over the horizon. The key lies in preparation and building a plan within your organization to manage these issues when they arise.