Large terabit-scale DDoS attacks will continue to wreak havoc and become a regular occurrence in 2017 unless Internet Service Providers harden their DDoS defenses, according to 2017 predictions from Corero Network Security (LSE: CNS), a leading provider of real-time security solutions against DDoS attacks.
With 2016’s rear-view mirror showcasing significant new high-volume attacks, Corero’s threat predictions for 2017 include:
- Terabit-scale attacks to become the new norm, impacting ISPs and the Internet backbone itself
- Novel zero-day reflection and amplification attacks will appear with more frequency, enabling more sophisticated and targeted attacks
- DDoS attacks will become top security priority, with increased disruption to business and government due to rising threat levels
The Mirai botnet, which was responsible for a string of attacks in recent months including the DDoS attack against DNS provider Dyn in October, will continue to evolve as hackers take advantage of the billions of poorly-secured, Internet-connected devices currently in use worldwide. In terms of its size, the Mirai botnet is currently believed to have a population of around 300,000 Internet-connected devices, but its population could increase significantly if hackers amend the source code to include root credentials for other types of vulnerable devices.
Corero predicts that the Mirai botnet will also become more complex in 2017, as hackers evolve and adapt the original package, equipping it with new methods of launching DDoS attacks. Mirai is currently believed to contain around ten different DDoS attack techniques – or vectors – which can be utilized by hackers to leverage an attack. But Corero believes this will increase during 2017 as attackers develop new methods, and then make them open source and available for anyone to leverage.
“While the Mirai botnet is certainly fearsome in terms of its size, its capacity to wreak havoc is also dictated by the various attack vectors it employs. If a variety of new and complex techniques were added to its arsenal next year, we may see a substantial escalation in the already dangerous DDoS landscape, with the potential for frequent, Terabit-scale DDoS events which significantly disrupt our Internet availability,” said Dave Larson, CTO/COO at Corero Network Security.
“While the motivations for such attacks are endless, the range of potential political and economic fallouts from such attacks could be far-reaching. Our entire digital economy depends upon access to the Internet, and so organizations should think carefully about business continuity in the wake of such events. For example, it may be prudent to have back-up telephone systems in place to communicate with customers, rather than relying solely on VOIP systems, which could also be taken down in the event of an attack.”
As an example of the pace of change in the DDoS landscape, the Corero Security Operations Centre recently warned of an extremely powerful new zero-day DDoS attack vector which utilizes the Lightweight Directory Access Protocol (LDAP), and has the potential to amplify attacks by as much as 55x.
“Certainly the Internet community needs to prepare for potent attack vectors like this to be added to botnets like Mirai. The combination of zero-day DDoS vectors, Mirai delivery mechanisms and attacker ingenuity would seem to indicate that Terabit-scale attacks could occur increasingly frequently next year and Internet availability in states, major geographic regions or even countries could be impacted significantly,” said Larson. “Individual DDoS attacks tend to cost large enterprises $444,000 per incident in lost business and IT spending, so the combined economic impact from an entire region being affected would be extremely damaging.”
Action by ISPs
While much of the focus in the wake of recent IoT-related DDoS attacks was put on encouraging manufacturers to install proper security controls on Internet-connected devices before they are issued, ISPs also have an important role to play in reducing the number of future DDoS attacks.
At a local level, ISPs could significantly reduce the overall volume of DDoS attacks across their networks by employing systems to detect and remediate infected bots that are used to launch DDoS attacks. Further, best practices exist and can be leveraged to utilize ingress filtering to remove the problem of spoofed IP addresses that are widely used in reflection DDoS attacks. This simple improvement to service provider hygiene would be a great initial step at reducing the overall volume of DDoS traffic.
Dave Larson explains: “ISPs will find themselves at an important crossroads next year. By working together with governments and the international community, ISPs can strengthen the underpinning infrastructure of the Internet and significantly reduce the volume of malicious traffic flowing across their networks.
“These methods aren’t a quick fix, and they certainly can’t protect against the full spectrum of DDoS attacks, but they would be a vital first step in speeding up our global response to attacks. I’m hopeful that the future of volumetric DDoS attacks in two or three years’ time will be significantly reduced by the combined efforts of ISPs, device manufacturers, security vendors and even Government entities. As this community rallies together to better protect the integrity of the Internet we may see ourselves in a very different place down the line.”
 Kaspersky DDoS Report, 2014 https://media.kaspersky.com/en/B2B-International-2014-Survey-DDoS-Summary-Report.pdf