Distributed Denial of Service (DDoS) is the internet equivalent of blocking the doorway to a business. During a DDoS attack, a website is flooded with fake traffic, which the web servers dutifully try to respond to, until they are crushed by the load. Meanwhile, legitimate customers and users can’t get to the website.  

Believe it or not, YOU can play a role in the prevention of DDoS attacks. Mainly, because hackers take control of ordinary, household IoT devices to orchestrate their attacks. So the DVR or baby monitor you have at home could play a part in a DDoS attack. But don’t worry, there are simple steps you can take to avoid being an enabler to these hackers. First, let’s look at different kinds of cybersecurity.

How the CIA triad relates to cybersecurity

In cybersecurity, we think of the CIA triad in terms of types of attacks: 

Confidentiality: Is my information secret?

Integrity: Is my information accurate and trustworthy?

Availability: Can I get my information when and where I need it?

Most people think primarily of confidentiality when it comes to cybersecurity. They worry about credit cards or other confidential data being stolen. However, the other two components are also important. Data integrity can be lost if false transactions are entered, or if the data sources are tampered with. Likewise, DDoS attacks don’t steal information; they only keep it from being legitimately used. Therefore, DDoS attacks affect the “availability” in the security triad.

In the world of hacking, DDoS attacks are relatively low tech. As an attacker, the only goal is to generate a lot of traffic. However, a typical computer can’t generate enough traffic to load a web server, so it needs help. There are two general strategies to generate the massive amounts of traffic needed to overload a website. The first tactic is enlistment and the second is multiplication.  

Enlistment means finding other computers to help with the attack. This “army” can then be used to coordinate an attack on a website, usually without the owners of those devices even knowing.  

In one of the first high-profile scenarios, attackers hacked into IoT devices such as security cameras and sensors around the Internet. They then instructed these hacked devices to send requests to the DynDNS target service on October 21, 2016.  

How did the hackers do it? 

Using a malware package called “Mirai,” the attackers took control of IoT devices on the internet that still had default passwords. A “botnet” (Robot Network) of over 1.2 million devices unleashed a traffic load of over 620 Gigabits per second against the DynDNS service. This service provides an internet look-up service to convert URLs to IP addresses for your browser. The traffic load was so intense, that many popular websites (Airbnb, Spotify, Reddit, PayPal, Netflix, and many others) were unavailable during the attacks. This was the internet equivalent of blocking the ramps for an entire freeway. Traffic was snarled for hours.

What could the DynDNS service do in response? 

Not much, really. The only recourse is to contact the ISP and get the ISP to begin selectively blocking traffic from sites that seem to be misbehaving. This is why it took so long to mitigate the attack. It’s a slow, often manual process.

Recently, companies like CloudFlare, Akamai and Arbor Networks are getting into the DDoS protection business. They typically set up shop and connect to an ISP. A client can then have all traffic routed through the DDoS protection service before it is sent to the website. If a DDoS attack occurs, these services automatically detect it and mitigate it by selectively filtering the attacking IP addresses.

So, if protection is available, why is DDoS still a problem?  

The bad guys have recently stepped up their game. In March, a DDoS attack hit a new world record bandwidth of 1.7 Terabits per second. This attack exploited the second tactic of DDoS attacks—multiplication. The goal here is to send a small packet of data as a request, in order to get a server to launch an avalanche of data in return. Then, you just change the return address on your request to direct the traffic toward the target. Attackers are exploiting this capability by hacking into unprotected “memcashed” servers that are inadvertently exposed on the internet. Normally, these servers are used within websites to provide access to frequently requested files and data. When left unattended and unprotected, attackers can use them to launch huge amounts of data in response to a simple request. In the recent attack, CloudFlare discovered that a 15-byte request could trigger over 134KBytes of response. That’s an amplification factor of over 10,000. 

Don’t be a DDoS enabler

It is interesting to note that in most of these cases, the “Botnet Army” consisted of IoT devices or servers that had no login password set, or still had the factory default password. Do you own any device, anywhere, that still has the factory default password? If so, you may be part of the problem. The primary rule is to always, always reset factory passwords on everything from security cameras to weather stations to baby monitors. Otherwise, you are an enabler. 

Recommended course

Cybersecurity Foundations


Never miss another article. Sign up for our newsletter.

In this article

Join the Conversation