×

There’s no end in sight to the DDoS threat, and this year the attacks are likely to get more frequent and even larger in scale.

Distributed denial-of-service (DDoS) attacks have been plaguing companies for years, and they are becoming ever larger in scale, harder to mitigate, and more frequent, according to Deloitte Global.

Such attacks aim to render a website or connected device unusable by flooding it with traffic, often via a botnet consisting of numerous infected devices. It’s equivalent to hundreds of thousands of fake customers converging on a traditional bricks-and-mortar shop at the same time, overwhelming its staff and making it impossible for them to serve genuine customers. Hit with a DDoS attack, an e-commerce site may not be able to sell, a government site may not be able to process tax returns, or a news site may not be able to display content.

Last year witnessed the first attacks in which more than one terabit of junk data per second flooded the victim site. In 2017, the average attack will send between 1.25 and 1.5 gigabits per second (gbit/s),1 according to Deloitte Global, which expects an average of one terabit-per-second attack every month and over 10 million attacks over the course of the year.2

Three Contributing Factors

As the scale of DDoS attacks has steadily increased over the years, defenses have been scaled up as well, amounting to a game of cat and mouse in which neither side has become too powerful. In 2017 that might change in attackers’ favor because of three underlying trends:

Insecure internet of things (IoT) devices. One factor is that the base of insecure connected IoT devices—which can include anything from video cameras and digital video recorders to routers and appliances—is growing.

Compromising a connected device remotely often requires knowledge of its user ID and password. Most users are familiar with the need to change this information before using a device for the first time, and at regular intervals thereafter, but not everyone does. At the same time, approximately half a million of the billions of IoT devices worldwide reportedly have hardcoded, unchangeable user IDs and passwords. Such credentials can be discovered by someone with programming knowledge who searches the device’s firmware.

Meanwhile, devices that lack screens or have only small displays, such as connected cameras or digital video recorders, may not be able to signal the need for an upgrade or even to run antivirus software.3 There is usually no perceived deterioration in the performance of a compromised device either, meaning owners may remain completely oblivious for years.

Step-by-step instructions. Historically, launching DDoS attacks consistently and on a large scale has required considerable expertise. But in late 2016, in the wake of a 620 gbit/s attack enabled by the so-called Mirai malware, instructions on how to replicate the attack were posted online, most likely to cover the perpetrator’s tracks. The post included the malware’s source code as well as default user IDs and passwords for a range of connected devices, opening the door for others to replicate it. In 2017, there could be further attacks based on the Mirai code.

Increasing bandwidth speeds. Also making major DDoS attacks more likely are the increased broadband uplink speeds becoming commonplace today. The higher the uplink speed, the greater the amount of junk traffic that can be sent—and disruption inflicted—by each compromised device. A user with a compromised device and a gbit/s uplink could unknowingly wreak the same damage as a hundred compromised devices on a more common 10-megabit-per-second uplink.

In 2017 and over the coming years, two major network upgrades are expected in several markets. Cable networks are being upgraded to Data Over Cable Service Interface Specification (DOCSIS) 3.1, enabling multigigabit speeds, and copper networks are being upgraded to G.fast broadband technology, enabling speeds of hundreds of megabits per second via traditional copper strands. This is in addition to the rising number of fiber-to-the-home and fiber-to-the-premise installations being added worldwide. By 2020, there are likely to be hundreds of millions of gigabit-capable connections worldwide.

The Bottom Line

DDoS is not a new topic for 2017; what is new is the potential scale of the problem. Any organization that depends on the internet should be aware of a possible spike in the impact of such attacks. Companies have several options that can help mitigate the threat, including:

Decentralize. A concentrated locus of information and computing makes it easy to identify DDoS attack targets such as data centers and servers. Organizations may benefit from designing and implementing architectures that disperse these capabilities physically and logically while maintaining the performance of traditional centralized approaches.

Oversubscribe. Large organizations can lease more bandwidth capacity than they currently need, not just to allow for commercial growth but also to help minimize the effects of any DDoS attack. If an attacker is unable to muster enough traffic to overwhelm this capacity, the attack won’t be effective.

Test. Organizations can identify vulnerabilities proactively. Controlled and friendly testing can be used to review DDoS response mechanisms and general resilience, helping to identify shortcomings in test scenario design, metrics, assumptions, and scope.

Defend. Static, predictable behavior facilitates attack planning and execution. Companies can reduce their risk by developing agile defensive techniques, including the design of deceptive approaches that establish a false reality for attackers or disperse adversarial traffic.

Detect. Explore possibilities for more granular traffic filtering, such as by geography. If traffic surges from a particular location, it may need to be treated as suspicious. Large quantities of new traffic may also be suspect. Companies could ask telecommunications companies to filter at the domain name server (DNS) level, possibly tracking traffic from other countries or major internet exchange points if required.

DDoS attacks are likely to increase in intensity in 2017 and beyond, and attackers are likely to become more inventive. CIOs, take note: The DDoS genie is out of the bottle, and is very unlikely to pop back in.

—by Paul Lee, partner and head of global technology, media, and telecommunications (TMT) research, Deloitte Touche Tohmatsu Limited; and Duncan Stewart, director of TMT research, Deloitte Canada