Archer

Bad guys are using your connected things to make money—and make your life more annoying/frustrating/inconvenient.

You’d like to relax with a movie on Friday night, but the movie won’t load. You’d like to get your brother’s birthday gift ordered, but you can’t complete the transaction.

There are always hiccups on the Internet, but some of them are caused by bad guys, and in some cases, you may be contributing to your own online demise.

These distributed denial of service attacks—also called DDoS—are increasing dramatically, according to cybersecurity company Akamai, and regular folk are helping attackers carry some of them out. 

The Q1 2016 State of the Internet/Security Report from Akamai shows that DDoS attacks are hitting record numbers—up 125% over last year at this same time. Bad guys are carrying out more “mega” attacks, and more repeat attacks, pounding some sites until they break, if only temporarily. One site was hit 283 times in the first three months of this year, the report said.

The attackers have some favorite targets, including gaming companies. But even if you’re not a gamer, you may still feel the effects, as school, bank and other sites go down for minutes, hours, or even days.

How does it work?

These denial attacks are “crude and unsophisticated,” said Vincent Berk, CEO of network security company FlowTraq.

“It involves overwhelming a target computer or network with as much traffic as possible, making it very hard, or impossible, to reach that computer or network for legitimate users,” Berk told Archer News.

“The attack is very similar to getting 50 or so friends or vague acquaintances to go to the post office with you,” he explained. “Then everybody asks for something ludicrous, like 100 stamps of 1 cent, 50 stamps of 5 cents, etc. Mostly a legitimate request, but it sure causes others to have to wait very very long in line!”

The result—interruptions and annoyances as you try to move through your life online. 

“Most importantly, your data is not being stolen, and the site you are trying to access is not ‘hacked,’” Berk said. “But it may be unavailable. Typically, this simply means your Netflix movie ‘hangs,’ or fails to load. Or you can’t get to Amazon to order something.”

Disaster

For the company under siege, however, a DDoS can be a disaster.

“There is no escaping the reality of a DDoS attack. DDoS attacks can get ugly,” said Barry Greene with Senki in a white paper in March.

Some organizations are not prepared, he said.

“Imagine a fire department rolling up to a fire and then trying to figure out how to use the equipment while the house is burning,” Greene wrote. “Unfortunately, that is normal for DoS attacks.” 

Berk pointed to a 2014 Kaspersky study showing a DDoS attack can cost a company from about $50,000 to about $450,000 in lost business and IT costs in a post on Dark Reading last month.

“This doesn’t even factor in the financial impact of reputational harm,” he wrote.

The attacks damaged some companies’ credit rating and caused others to pay higher insurance premiums, the Kaspersky report said.

Even worse

Some attackers now don’t just launch a blitz unannounced, the Akamai report said. They may demand ransom first—pay up, or we will DDoS you.

One attack group, the Armada Collective, made more $100,000 dollars without ever carrying out an actual site assault, reported PCWorld.

Another group demanded ransom, but kept up the attack even after the $6,000 was paid, according to ZDNet.

If bad guys don’t know how to carry out a DDoS attack themselves, they can buy one online.

“These low-cost platforms allow malicious actors to launch DDoS attacks from anywhere in the world,” the Akamai report said. “For example, one platform recently advertised 7,200 seconds of DDoS attack traffic for U.S. $69.99 — less than 2 cents per minute.”

“Attacks are getting easier to launch with the growth of commoditized DDoS platforms and the spread of extortion groups who leverage attacks against companies,” one of the report’s authors, Dave Lewis, told Archer News.

“The average person should make inquiries with the companies that they do business with as to what they are doing to protect themselves, and by extension their customers, against attacks,” he said.

Victim/attacker

The average person may actually play more of a role in a DDoS than just a frustrated site-using victim. 

Could someone be using your connected stuff against you? The report says yes. 

“Internet of Things (IoT) devices are coming to market faster than is sustainable from a security perspective, which may be driving the changes seen here,” the report said.

“Many IoT devices, such as printers, are shipped with little or no due diligence from a security perspective,” the report continued. “These devices are home-based and cannot be effectively updated or managed by the end user. As a result, these exposed services can potentially be incorporated into distributed attack platforms.”

The report also noted that compromised home routers have become “an interesting new element” in some Internet attacks.

Borrowing your things

The DDoSers may be relying on your lack of security for their site ambush.

“DDoS attackers use many many computers to generate the traffic that clogs up the target network,” said Berk. “Typically the attacker doesn’t actually own those computers, but instead will use hacked computers elsewhere.”  

“This may mean that your desktop at work, or your computer at home is participating in the attack,” he added. “You may never know it, until the attack instructs your computer to start sending the traffic — at which point your network and your computer will become very slow.”

He advised that you follow security best-practices to keep yourself from becoming a DDoS attack puppet.

“Keep your computer up-to-date, don’t open files that people e-mail you, and certainly be careful when installing ‘extensions’ or ‘apps’ that you download off the Internet!” Berk recommended.

Who are they?

DDoSers may be angry teenagers, like the 16-year-old in Japan who reportedly took out 444 school sites in May, saying he wanted to remind the teachers “of their own incompetence,” according to SC Magazine.

They may be digital protestors, like Anonymous, who declared a siege on banks under Operation Icarus.

“Like Icarus, the powers that be have flown too close to the sun, and the time has come to set the wings of their empire ablaze, and watch the system their power relies on come to a grinding halt and come crashing down around them,” said an Anonymous video on YouTube, reported eSecurity Planet last month

They may be extortionists using Mafia-style shakedown techniques, threatening to attack if they’re not paid.

They may be data thieves, using the denial of service to cover up the burglary, the Akamai report said.

And they may be gamers. The researchers found that 55% of the DDoS attacks focused on gaming companies.

Gaming the gamers

“Gaming sites are unfortunately very juicy targets,” said Berk. “And also vulnerable ones.”

Unscrupulous players may use a DDoS bombardment to their advantage. In the past, some have wanted to get attention or notoriety, damage reputations and disrupt competitive players, the report said.

“Online gamers send and receive a continuous stream of network traffic, that places them ‘in the game,’” Berk said. “This means they continually interact with the other players—many times per second. Any service interruption, however minor it might be, will interrupt their game. It might place them at a disadvantage to other players, or it might even knock them off the game.”

Getting ready

Big sites have become very good at detecting and dealing with DDoS attacks, according to Berk.

Smaller sites, like schools or local media outlets are less able to defend themselves, he said.

“Typically the attacks are smaller in volume, but the capacity of such sites is much smaller also,” he said, leading to longer downtime.

Greene recommends that organizations form a team to deal with DDoS attacks before they happen, and then practice responding to this kind of crisis.

You can expect more DDoS attacks in the future, according to Akamai.

“One driver for future threats is the continued proliferation of easy-to-use DDoS-for-hire technology,” the report concluded. “The same technologies that make the user experience easier for law-abiding people will also create an easier experience for the online criminal community.”