Is the internet of things the new DDoS attack weapon?

Last week's DDoS attack on Brian Krebs’ website was what security professionals would call a catastrophic event.

A sustained attack of 620 Gbps overpowered Akamai’s best efforts to keep Krebs’ website functioning, but under the sheer weight of the attack, even the firm crumbled. 

Previously, the most voluminous DDoS attacks ranged between 400 to 500 Gbps - few websites will be able to defend themselves against this kind of new sustained attack.

It’s been posited that attackers are leveraging internet of things (IoT) devices to grow their botnet capacity to this new level, which in itself is troublesome, but first, the backstory.

Krebs is one of the most prolific cybersecurity-focused investigative journalists and has broken a number of high-profile stories and been responsible for numerous arrests over the years.

As a result of his intrepid work, Krebs has come into direct contact with plenty of criminal gangs and met the perpetrators of many of the world’s most notorious cybercrime fraternities face to face. Speculation that this is why his site was attacked has stemmed from his recent coverage of an Israeli online DDoS attack service called vDOS – still available to read via Google’s webcache.

The vDOS ‘service provider’ supposedly earned more than US$600,000 in criminal proceeds over the past two years, hiring out its large-scale weapon to anyone with the money to take a shot at their enemies.

When Krebs began releasing the names of the people behind the vDOS service, he practically invited this attack. Some of you might think that Krebs should have had DDoS protection, which is true, but it doesn't come cheap.

High-end DDoS mitigation, the kind he’d need for this kind of attack, would have set him back in excess of A$400,000 each year – money that one journalist, running a small business, is unlikely to be able to afford.

The bad news is that there is actually nothing a small business can do about this kind of attack. If you have a website and you don’t have expensive DDoS mitigation, you are at risk.

Moreover, if you’ve considered the risk of this kind of attack as negligible, you need to think again. This is a powerful and commercialised criminal service that’s up for hire.

Why would you be targeted? If you run an online business, criminals can use a DDoS attack to hold you to ransom; if you don’t pay up, they’ll make sure you stay offline. This can be likened to the protection rackets that criminals have always used to extort money from their victims, it’s just anonymous and harder to police.

The fact that Akamai’s service was unable to protect Brian Krebs’ website is troubling since it offers is one of the best anti-DDoS platforms. As the internet of things exponentially increases the number of devices online, the number of vulnerabilities (allowing them to be taken over as bots) is also increasing.

Unless IoT manufacturers start taking information security seriously and build robust, well-coded and security tested systems that are patched and maintained, there's little way to mitigate this growing threat. We could be in for a number of rocky years battling an all new kind of ransomware.