On the cusp of 2017, one thing’s clear: distributed denial-of-service (DDoS) attacks made their mark in 2016. Arbor Networks tracked 124,000 DDoS attacks each week between January 2015 and June 2016. Furthermore, 274 of the attacks observed in the first half of 2016 reached over 100 Gbps (as compared to 223 in all of 2015), while 46 attacks registered above 200 Gbps (as compared to 16 in 2015). Collectively, those campaigns’ peak attack size increased by 73 percent to 579 Gbps.
Data isn’t yet available for the second half of 2016, but a similar increase in attack size and frequency most likely occurred in those six months. Why? In both halves of 2016, analysts recorded several DDoS attacks that rocked the Internet. Those campaigns proved especially significant because of their size and/or the high-profile nature of their targets.
It’s important that organizations learn about the ongoing evolution of DDoS attacks if they are to defend against them in the New Year. With that in mind, let’s now explore the five most significant DDoS attacks that occurred in 2016.
5. Russian Banks
A botnet consisting of at least 24,000 computers located in over 30 countries trained its resources against at least five Russian banks in the beginning of November. Sberbank and Alfabank were among the victims that experienced several waves of DDoS attacks over a two-day period. Fortunately, none of the attacks were strong enough to knock out any of the affected organizations’ online client services.
It’s believed the bad actors leveraged an IoT botnet like Mirai to perpetrate the attacks.
The campaign constituted the first time that attackers have conducted a massive DDoS campaign against Russian banks since October 2015
4. Rio Olympics
Several public-facing web properties and organizations affiliated with the Rio Olympics suffered a sustained DDoS attack that lasted for several months. Beginning in September 2015, the campaign made use of a DDoS-for-hire service called LizardStresser to launch attack traffic against their targets ranging in size from tens of gigabits/sec up into the hundreds of gigabits/sec.
As the Games drew closer, LizardStresser – along with several other Internet of Things (IoT) botnets – added some additional firepower to their UDP reflection/amplification attack vectors, including requests targeting the IP protocol Generic Routing Encapsulation (GRE) and high-volume packet-floods destined for UDP/179. The attack ultimately peaked at 540 Gbps.
A DDoS campaign of that magnitude and longevity could have easily disrupted the logistics and media coverage of the Olympics. But thanks to the mitigation measures provided by Arbor Networks, Brazilian information security professionals and the International Olympics Committee (IOC) kept their systems up running.
3. Clinton and Trump Campaign Sites
On April 1, the global hacking collective Anonymous launched a DDoS campaign against Donald Trump. Under the banner #OpTrump, the group sought to take down the billionaire’s websites for his hotel chain and presidential campaign, as well as his email servers. Anonymous hoped the attack would help end Trump’s bid for the White House and damage his brand.
Later in the year, around the time of the Election Day, attackers once again made the unusual move of targeting political candidates. This time they leveraged a Mirai IoT botnet to target the campaign websites for both Hillary Clinton and Donald Trump. Both DDoS campaigns consisted of HTTP layer 7 attacks that lasted for only 30 seconds.
While it’s unusual for DDoS groups to set their sights on political targets, their decision to do so comes at a time when digital sleuths are increasingly using their expertise to meddle in states’ internal affairs.
2. Brian Krebs
In September, the blog of information security investigative reporter Brian Krebs experienced a DDoS attack. It was unusually powerful, with reports placing the peak attack traffic at around 620 Gbps – more than double the size of any attack Akamai and others had ever seen.
The campaign was unusual in that it didn’t rely on amplification or reflection methods, techniques which are designed to strengthen the intensity of a DDoS attack beyond its registered number of requests. Among other tactics, the attack leveraged GRE traffic, which can’t be spoofed or faked.
Krebs later determined a Mirai botnet was responsible for the attack against his website. Mirai had enslaved hundreds of thousands of IoT devices by scanning devices connected to the web for vulnerabilities. It then infected the devices with malware, thereby enlisting them into its ranks.
October 21 will be remembered for years to come. That’s the day when an actor leveraged a Mirai botnet consisting of 100,000 infected devices to launch a DDoS attack against Dyn.
The campaign targeted the internet performance management company’s managed DNS infrastructure, or the architecture that helps translate easily readable domain names like “tripwire.com” into numeric addresses at which websites and other Internet services are based. As a result, Dyn’s resources could not connect customers’ domain names to their web addresses.
For a couple hours, high-profile websites like Etsy, Github, Spotify and Twitter suffered service interruptions or went offline altogether. Dyn worked quickly to restore service. Notwithstanding the company’s immediate response time, the attack against Dyn demonstrated how attackers can leverage insecure IoT devices to wreak havoc against the Internet writ large.
In looking at each of these attacks, one common factor unites them: IoT botnets. Malware like Mirai that leverages insecure IoT devices to conduct DDoS attacks is clearly on the rise. With that said, organizations can and should take certain measures to prevent a DDoS attack but that’s only part of the problem.
Product manufacturers and the security community also need to work together to create the expectation (or regulation) of security by design in IoT devices. If we are to mitigate similarly massive DDoS attacks in 2017 and the years to come, we need to have this conversation sooner rather than later.