The recent spate of DDoS attacks are not taking advantage of amplification techniques, which have been the most prevalent types of DDoS attacks in recent years.
Instead, the attacks are just flooding links with traffic generated from the sources, the traditional way of implementing a DDoS.
Lastly and most concerning, is that the attacks have been largely comprised of Internet of Things (IoT) devices from all corners of the globe.
The industry has known for a long time that IoT devices would eventually come into play in the cyber security game.
On average, IoT devices are inexpensive, and this is based on their target market, which today are mostly made up of home users.
As a result, manufacturing organisations have little financial margin to invest in building IoT devices with higher levels of security as this an expensive process).
The average consumers of modern day IoT devices are not technologists who understand how to secure a network connected device.
So, if an IoT device does have a security control, for example authentication via a username and password, it is usually not configured correctly by the end user.
Further, being inexpensive means that larger numbers of devices will be purchased by the consumer market, which leads to scale.
Security practitioners have known for a while now that massive numbers of inexpensive and highly insecure IoT devices were going to start popping up all over the Internet.
That time has now come to pass. It has brought us to a point of computational scale that, if leveraged successfully by cyber criminals, can lead to massive disruption of service across the Internet ecosystem.
Unfortunately, it appears that cyber criminals are indeed able to leverage this computing power.
The recent DDoS events of the past few months were spurred by “IoT botnet malware” source code that was released back in 2015.
You might have heard the terms BASHLITE, Lizkebab, or Gafgyt – these are various names of the botnet malware and its variants.
This code was used to create the so-called “LizzardStresser” botnet whose success inspired many other cybercrime organisations to pursue similar endeavours.
In September, one of these botnet malware variants was used to invoke a very massive scale attack targeting the well-known security blogger Brian Krebs, with traffic volume surpassing 620 gigabits per second.
A few days after the attack on Krebs, source code for new IoT botnet malware named Mirai was released, and this led to yet another very large-scale DDoS attack in October that targeted Dyn, a technology company that provides DNS and other Internet services.
The attack disrupted Dyn’s ability to provide DNS to its customers which, in turn, caused websites such as Twitter, Amazon, Reddit, and Spotify to become unavailable.
DNS is critical infrastructure for the Internet.
The thought of a bunch of web cameras, routers, WiFi switches, and such (i.e., IoT devices) being able to take down systems that are vital to the Internet is just downright scary.
These botnets have been successful enough to encompass hundreds of thousands (and some speculate over 1 million) IoT devices.
Consequently, with a cyber army as large as this, it is no surprise that we are seeing such unprecedented rates of DDoS attack traffic that can break part of our Internet infrastructure.
Unfortunately, the situation will not abate, but likely get worse because more and more IoT devices will continue to come online, and device security is not likely to move in the right direction for quite some time.
Where do we go from here?
Building a highly secure device is not easy—security is a hard problem. In order to make headway, we must focus on the two main aspects: the technology component and the human component.
Overall, the cyber security industry is making progress advancing the technology needed to alleviate various aspects of security pain points.
However, until society starts to address the human component of this problem, the good guys in this game will continue to lag behind the bad guys.
How should society address the human component? One solution: education. At this time, our educational ecosystem is really failing in this area.
Indeed, there are good educational programs out there for those who want to work in the cyber security industry.
Living in the highly digital and interconnected world of near-tomorrow, enabled by the IoT, is much different than the connected world we live in today.
>See also: Busting the 7 myths of cyber security
In the near tomorrow, IoT devices and, more importantly the data collected and processed by IoT devices, will influence our lives in a way that is hard to even predict.
The DDoS attacks mentioned above are scary; but, that is just low hanging fruit.
The really scary scenario is when the bad actors figure out how to exploit the data-driven aspects of tomorrows IoT —the same data-driven aspects that influence our every action.
If the cyber security wants to make an impact on the future world driven by IoT devices and associated data, it has to dive deeper into the human component.
In the short term, the industry has to start teaching its children the consequences of using digital technology.
In the long term, we must enhance our curricula, especially those in Science, Technology, Engineering, and Mathematics (STEM) programs.
Cyber security fundamentals should be incorporated into the curricula with the same vigour and pervasiveness as math, physics, and chemistry.
The industry cannot make a dent in this problem by just teaching a few cyber security professionals about how to protect us.
Though this is important, we also must start teaching those who will be developing the IoT technology of tomorrow the basics and fundamentals of cyber security.
For example, if a designer makes a decision to incorporate some type of cyber technology into some gadget, they should understand the security implications of that decision.
If everyone involved understands the problem, then creating new technologies with security considered at inception will become commonplace and the result will be a more secure IoT.
Sourced by Lane Thames, software development engineer and security researcher with Tripwire VERT