Near the end of last month a company that you had probably never heard of, Dyn, was the victim of a DDoS attack. It was an unprecedented assault, pumping more than a terabit of data every second at servers that buckled under the load. The attack crippled Dyn’s DNS services, leaving many users unable to reach some of the biggest sites on the Web.
It’s now believed that only one person was behind the attack. A single very angry gamer who had an axe to grind with Sony’s Playstation Network.
Dale Drew, CSO of Level 3 Communications, said that “We believe that in the case of Dyn, the relatively unsophisticated attacker sought to take offline a gaming site with which it had a personal grudge and rented time on the IoT botnet to accomplish this.” While he didn’t specifically name PSN, sources who spoke to the Wall Street Journal did.
It might sound unbelievable that an individual could’ve caused so much chaos. In 2016, however, that’s very much the reality. Anyone with a bit of knowledge and cash to spare can get his or her hands on extremely powerful cyberweapons. In this case, it reportedly took $7500 and a visit to a Dark Web marketplace.
Bob Anderson, a former executive assistant director at the FBI who now heads up information security operations for Navigant, says it really is that simple. “To perform a DDOS attack, hackers used to have to bring the weight of multiple servers around the world together. Nowadays, with all of the hands-free devices, cameras, appliances, etc. that are available, they don’t need that any more,” he told me in an email exchange.
It’s a turnkey operation, not all that different from, say, placing an order with Amazon. You pay a fee to the botnet controller, you provide a target, and the “cannons” fire away. Not getting caught requires certain knowledge that the average Internet user might not posses and a good deal of discretion, but Anderson assured me that an attack like the one against Dyn is “still very easy to execute.”
The good news is that the impact of future attacks like this one can be limited. Several experts who spoke with FORBES’ Thomas Fox-Brewster offered possible mitigations. All we need now is for service providers to enact them.