Issue link: http://cp.revolio.com/i/760098
8 | THE DATA CENTER JOURNAL www.datacenterjournal.com iot threat confirmed t echnology watchers have warned from the start that the Internet of ings—oen defined to include all networked devices beyond just PCs, tablets and smart- phones, such as IP cameras, DVRs, home appliances and so on—poses a major security threat. ey oen couched these warnings in facetious language, suggesting for instance that an army of Internet-connected toasters could bring down a company website. Looking beyond the humor, however, reveals a number of concerns. First, more connected devices means more potential sources of attack, whether individually or in conjunction through a so-called botnet. Second, as these devices proliferate, users become harder pressed to maintain adequate security on each one, particularly when they oen fail to do so on their major devices (smartphones, PCs and so on). And third, manufacturers looking to compete by churning out new of- ferings may include slipshod soware, leaving vulnerabilities that attackers can exploit. ese concerns hit home in October 2016 when a DDoS attack on Dyn, a Domain Name System (DNS) service provider, led to an Internet outage that briefly crippled a number of major websites from Amazon to Netflix to Twitter. Krebs on Security reported that the attack used DVRs, surveillance cameras and other IoT devices in a "Mirai" botnet, laying to rest any doubts re- garding the threat to networks. (Mirai is malware that searches for and commandeers unsecured devices for use in denial-of-service attacks.) As these devices proliferate, the potential for more and bigger attacks grows—especially in the absence of strong security. ddos: the face of major attacks A DDoS attack is essentially just a brute-force method of shutting down a service by flooding it with so many bogus requests that legitimate users are unable to access it. Dave Larson, chief operating officer and chief technology officer at Corero Network Security, notes that hackers have refined their strategies over time. "e DDoS attacks of today are far different from the attacks of the past. A decade ago, DDoS was synonymous with large volumetric attacks. is is still the case in some respects, but DDoS attack techniques have become much more sophisticated. Coupled with the ease of securing DDoS-for-hire services, access to massive botnets and unlimited motivations, we are seeing a far more dangerous concoction of attacks taking down major Internet-connected businesses and sometimes even entire service- provider operations." But who can launch such attacks? Almost anyone. Nation- states certainly have the means to launch major cyber strikes, but so do criminal organizations and even individuals with a grudge. DDoS "service providers" even offer targeted attacks for a fee, giving groups or individuals with little or no infrastructure of their own the ability to hurt business. And because the amount of available computing power is growing constantly—whether through cloud services or through hijacked devices—the threat is also growing. "'Record-breaking' attacks seem to be making headlines on a weekly basis," said Larson. "Attack techniques evolve, access to vulnerable machines and devices seems unlimited, and new vulnerabilities are being identified regularly. For example, a new amplification attack technique employs the Lightweight Directory Access Protocol (LDAP), a widely used protocol for accessing username and password information in databases such as Ac- tive Directory, which is integrated in most online servers. is particular vector has the potential to inflict damage by applying an amplification factor as high as 55x." In other words, by expand- ing the type and volume of bogus traffic, a hacker gains a greater chance of overcoming defenses and blocking the target's online services. "If combined with the IoT [Mirai] botnet that was used in the recent 655-gigabit attack against Brian Krebs's website, we could soon see new records broken in the DDoS attack land- scape," Larson added, suggesting that multi-terabits-per-second avalanches could be on the horizon. one of many vUlneraBilities DDoS is not the only threat that organizations face. Poten- tial avenues of attack abound, ranging from spear-phishing emails to weak authentication methods to poorly coded soware. e goal of attacks also varies; some hackers wish to steal information or resources, others to damage networks or equipment, and yet others to simply prove that they can break into or take control of a system. All sorts of attacks and their associated rationales have made headlines, so the situation goes beyond any one security concern. Yet DDoS oen comes to the fore—perhaps because it's essentially a brute-force attack that lacks a fairly simple solution, such as using two-factor authentication or not clicking on email links and attachments that fail the smell test. "Of course the security landscape is complicated and the tools to defeat these challenges vary widely," said Larson. "DDoS defense requires purpose-built technology that deals with the problem in a proactive and real-time manner." Moreover, to make matters worse, security is more than a single isolated problem All sorts of attacks and their associated rationales have made headlines, so the situation goes beyond any one security concern. Yet DDoS often comes to the fore—perhaps because it's essentially a brute-force attack that lacks a fairly simple solution, such as using two-factor authentication or not clicking on email links and attachments that fail the smell test.