For-Hire Cyber Hackers Driving Up DDoS Attacks, Exploiting Insecure IoT Devices
Cheap and easy-to-use distributed denial of service attack services are driving up the rate of DDoS attacks and exploiting insecure IoT devices, cyber experts said. For less than $100, DDoS-for-hire services can easily take a company down, Corero Network Security CEO Ashley Stephenson told us. Corero's third quarter report showed a 35 percent uptick in DDoS attacks, and Akamai recently reported a 28 percent hike in attacks in the second quarter, notable after three quarters of decline. Neustar’s twice yearly cyber report said attackers are “quite proficient at achieving higher breach rates while using fewer DDoS attacks.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
“DDoS is cyclical -- we strongly suspect it’s going to come back up again,” Akamai Security Advocate Martin McKeay told us. A lot of DDoS disruptions are “teeny, tiny nuisance attacks” easily combated, he said. Larger attacks require better defensive measures, and the biggest, such as the terrabit-level Dyn attack (see 1703220072), require sophisticated cloud-based defenses, he said. Dyn-scale attacks are likely to increase because cyber criminals and nation-states hostile to the U.S. have access to more sophisticated code, McKeay predicted. “This could take down a whole region and impact underseas cables,” he said.
Corero’s clients experienced an average of eight DDoS attack attempts per day in Q3. The company, which sells DDoS defense solutions, flagged the “Reaper” botnet as particularly threatening due to its ability to exploit known security flaws in the code of insecure machines. Reaper acts like a computer worm hacking into IoT devices and moving on to find others to infect, Corero said. Also growing in scale and power are ransom denial of service attacks, Corero said, with the hacker group Phantom Squad targeting companies throughout the U.S., Europe and Asia.
“Reaper is going to be huge. People are not focused on it,” said Ballard Spahr attorney Ed McAndrew. Dyn was an “eye-opener,” but Reaper has the potential to have tremendous power, he said: “It will be interesting to see if the government can take down that infrastructure before anything really bad happens.” McAndrew, a former federal prosecutor, said DOJ partners with the private sector to shut down such traffic.
DDoS attacks captured national attention last year when the Mirai botnet crippled Dyn’s DNS servers, halting operations of customers including Reddit, Tumblr and Twitter and prompting congressional inquiries. A year later, most companies aren't prepared to defend against DDoS attacks, said a global survey of more than 1,000 security firms by network control firm Infoblox, which found 86 percent of cyber solutions companies reported users failed to detect attacks.
Many organizations aren't upgrading security patches that could prevent such attacks, Akamai's McKeay said. “Patching is not a simple issue,” he said, and due to costs involved in testing and system downtime “is often de-prioritized as a business function.” Corero said the vast number of unsecured IoT devices is a major threat. “After the holiday season there’s going to be a lot more unsecured devices out there ready to launch an attack,” Stephenson said. “In general the majority of home and even institutions are inadequately protected,” he said.
“There’s a huge legacy problem with unsecured IoT devices,“ said R Street Institute senior fellow Paul Rosenzweig, former deputy assistant secretary-policy in the Department of Homeland Security. “In many instances, devices can’t be patched and the only way to fix it is to put a new one in,” he said. Regulatory and legislative solutions are not yet emerging to address the insecurity of IoT devices, experts believe. The FTC lost a case it brought against D-Link Systems alleging the company sold insecure routers and wireless cameras (see 1702010017) when the U.S. District Court in San Francisco ruled the commission didn’t have legal authority.
“I think we have a long way to go before we’re going to be ready for this, but we have made some very significant strides,” said Wilkinson Barker attorney Clete Johnson, who worked on the Commerce Department’s National Institute of Standards and Technology cybersecurity framework. What’s concerning is the intense increase in volume and scale of attacks today, Johnson said. Enterprises need to be prepared for high-volume attacks. “It’s like going into the flu season with a flu shot -- a manageable problem if you’re managing,” he said.