In 2015, Distributed Denial of Service (DDoS) attacks were estimated to represent a significant portion of the $15.4 million per year cybercrime cost to average American firms (taken in a study from Hewlett Packard Enterprise Development LP). Looking to 2016, and acknowledging the trends of previous years, it’s apparent that DDoS has gone through many phases, from hactivism to for-the-lulz mayhem crews, and it even has a criminal component with extortionists.
To get a better view of 2016, SiliconANGLE reached out to Nexusguard Ltd., a premier provider of defenses against DDoS attacks, and spoke with Bill Barry, executive vice president of Global Strategy.
In 2016, DDoS will not be headline driving because it becomes Internet weather for consumers
“With the commoditization of DDoS booter sites, more and more people will launch attacks to a greater base of targets,” says Barry, pointing the blame solidly at Lizard Squad’s Lizard Stresser, a publicly visible website that allows anonymous users to pay a few dollars for a few minutes of DDoS against any target they desire.
In past years, these sort of stresser (or booter) websites existed only underground, in the dark web beneath layers of TOR or hidden behind VPN networks accessible only through contacts in hacker forums. The Lizard Squad’s presence in the light of day, easy to find, providing a tool that solicits and enables criminal DDoS attacks has changed that marketplace.
“DDoS-related incidents won’t make spectacular headlines as they did in 2015,” Barry continues. “More industries and companies will continue to be victims of DDoS. We expect DDoS to be a desensitized issue even as prevalence of attacks increases, affecting more small-and-medium enterprises.”
In 2016, “Don’t pay them!” and why giving into ransoms and DDoS blackmail is bad
It’s been said before that there is a growing market for DDoS blackmail: Attackers shake-down a website by hitting it with a brief DDoS, often knocking it offline, and then come knocking in e-mail demanding payment or the DDoS will last longer. The problem? Paying the DDoS attacker doesn’t always prevent the DDoS (see what happened to ProtonMail) and paying only emboldens attackers to keep up the racket.
Barry sees the emergence of Bitcoin, a stable digital currency capable of pseudonymous transactions, as part of the ecosystem that has coupled with stresser sites, mentioned above. This speaks to more extortion in 2016.
“With the rise of Bitcoin, and the prevalence of DDoS booter sites, extortion attempts will be more widespread,” says Barry. “DDoS-for-Bitcoin groups are taking up old-time protection schemes in which they DDoS an organization’s infrastructure before they offer a ransom and sometimes after. These extortion attempts are exacerbated by the abundance of DDoS booter sites.”
With someone DDoSing your site, it’s very hard not to give in: After it, you want it to go away now.
“However, never pay the ransom,” warns Barry. “These DDoS-for-Bitcoin groups will continue to raise the ransom until it is impossible to pay.”
As with the previous prediction, that DDoS will lose its glamor in the press due to its prevalence, 2016 may be the year that DDoS network protection becomes as standard fare as fire insurance for Internet companies.
Barry believes this is a lesson that the entire industry needs to learn and soon. With the increasing prevalence of DDoS not just as a tool of childish mayhem groups for the “lulz” (a la LulzSec, DerpTrolling, Lizard Squad, etc.), but also a tool of extortion, it can cost a company more to get DDoSed than to retain anti-DDoS defenses.
“Companies will shift from focusing on ‘post mortem’ costs of a breach (i.e., repetitional, revenue loss, brand damage and loss of trust) to proactive cybersecurity planning,” Barry says, pointing to the examples of Target, Home Depot and VTech, all of which suffered massive cybersecurity breaches during 2015.
“The true cost of breaches are often much higher than the investments required for a sound cybersecurity strategy,” he adds.
In 2016, DDoS will be recognized as an industry-wide problem
“DDoS attacks affect the entire supply chain. Each piece throughout will have a responsibility to protection on its own, not just saying, ‘it’s not my problem,’” Barry explains.
When a DDoS attack lets fly, attackers are exploiting the political nature of the Internet from consumer devices that do not have proper defenses, to network providers who won’t communicate, vulnerable services who become amplifiers for attacks, down to Internet Service providers who get hit along the way and finally to the targets and the networks in their vicinity.
For DDoS to be thwarted in 2016, Barry believes that the industry must learn to communicate across the entire network supply chain. This necessity, he feels, is driving the development of products that will become just as distributed as the attacks (after all the first D in DDoS is “Distributed”).
“The cost of defense will finally go down, as more and more ISPs are offering true bulk protection against DDoS attacks,” says Barry. DDoS campaigns have always been inexpensive to launch, yet extremely costly to defend against.
“2016 might be the year that the imbalance is shifted,” he adds. “For the first time ever in over a decade, the cybersecurity community is working together to solve problems in the Internet supply chain. We are reaching an economic scale now where defenses are affordable and security providers are sharing know-how. If structured properly, providers will be able to offer cost effective and economical solutions to customers at large.”
What about the gaming industry in 2016?
In the past few years, gaming networks have been more widely reported as targets of DDoS. For example DerpTrolling hit numerous gaming outlets on New Year’s Eve 2013, then Lizard Squad pummeled Xbox LIVE and PSN as a run up to a day-long outage Christmas Day 2014. Other outlets also suffered DDoS during 2015, from Elder Scrolls Online to Neverwinter Online and Star Trek Online.
“Hacktivist attack groups thrive on the notoriety of impacting highly recognizable and reputable brands,” says Barry. “Pair that search for fame with the low-latency, high-traffic network of online gaming systems, and any lag in gameplay or issues logging in gets immediate attention — the smallest crack in defenses will be amplified to the biggest noise.”
What does this mean for 2016? Barry basically says that the gaming scene will want to buckle up.
“[We] anticipate gaming networks will continue to be highly targeted by cyberattacks from hacker groups looking for visibility,” he adds. “Although the PlayStation and Xbox Live networks recovered from DDoS attacks last year, organizations looking to avoid the same mistakes will need to prepare for DDoS’ commoditization and evolution with more advanced traffic management and plan against smarter attack vectors.”
It’s unknown if Xbox Live and PlayStation Network saw DDoS attacks this year (massive or otherwise) as both networks made it through Christmas relatively unscathed. Both sites suffered some bugs Christmas Day — Xbox Live had some billing and subscription problems, and account creation on PSN suffered some delays and outages — but, according to Forbes, nothing seemed related to hackers or DDoS, just overwhelming popularity.
Would-be attackers certainly did threaten to hit the networks this year, such as Phantom Squad — a mayhem crew (or individual) who had their Twitter account banned after initially taking credit for an outage of Xbox Live.
The takeaway still remains that from trends in 2015, DDoS attacks are not going away in 2016. They’ve become more accessible and “easier” due to the emergence of open markets for stressers (such as the still-extant Lizard Stresser) and ever-increasing vulnerable devices. As prevalence of DDoS attacks increases, these events will become less notable and more like Internet weather. (Blizzard, rainstorm, DDoS?)