Not too big to fail: DDoS Attacks hitting major brands

For the last few years as DDoS attacks have intensified, the message being hammered at business owners and website owners alike has been that everyone is a potential target. From the Game of Thrones fan site to the hobby ecommerce site to the mid-sized electronics retailer to the most major of the major corporations, we’ve been told again and again that anyone could get smashed with a DDoS assault.

It can be hard to believe that, though. Does a near-world power like Google really need to worry about the same attacks as Bob’s Jam and Jelly Emporium? Does Skype have to be on the lookout for abnormal traffic patterns the way an up and coming gaming platform needs to be?

As it turns out, yes. All’s fair in love, war and DDoS attacks.

Basic beginnings

A distributed denial of service or DDoS attack is one that seeks to deny the services of a website to its users. This is done by either degrading page load times to the point that users can’t be bothered waiting or taking a website offline altogether.

To launch these attacks, the criminals behind them require a botnet, which is a network of malware-infected devices that can be controlled remotely. Attackers can either build their own botnets or pay to use one through a DDoS for hire service. Botnets use the collective computing resources of all the infected devices to direct a large amount of malicious traffic at a target website, either aiming to clog the network or consume the resources of the server with the end goal of downtime or degraded site performance that leaves users out in the cold.

A growing problem

There once was a time, a simpler time, where having any form of DDoS mitigation was likely going to be good enough to stand up to attacks. That is no longer the distributed denial of service reality. Nowadays it’s leading DDoS protection or else it might as well be nothing, especially for the major brands that stand to lose so much during an attack with massive amounts of users frustrated by their inability to access the sites and services they’ve come to count on.

DDoS attacks have grown increasingly sophisticated as they’ve become an increasingly favored attack method amongst cybercriminals. Perhaps more notably for major brands, they’ve also swelled to previously unheard-of sizes. This is thanks to Internet of Things (IoT) botnets, which are botnets consisting of so-called smart devices. Since these devices have largely been built without much attention paid to security, and since end users don’t think to secure them the way they would a computer, botnet builders have been able to easily infect them, building botnets powered by hundreds of thousands of devices.

Big results

IoT botnets announced their arrival in a major way with an attack that took down some of the biggest websites and services, throwing the online world into disarray. Known as the Dyn DNS attack, the Mirai IoT botnet launched a record-setting 1 Tbps attack in October of 2016 that knocked out the Dyn domain name server and swept the likes of Twitter, Spotify, Reddit, Amazon, Etsy, Tumblr, Netflix, PayPal, CNN and the BBC offline. In total, well over 60 massive brands were affected leaving millions of users reeling. While this is the most infamous of the big brand DDoS attacks, it wasn’t exactly rare.

A 2016 survey of IT professionals found that global brands are most likely to be targeted by DDoS attacks. The same survey found that when DDoS attacks hit global brands, they smash. Half of those global brands reported losing at least $100,000 per hour during an attack, and with an average of three hours elapsing before an attack is even discovered, those bills get staggering fast.

A bit of time has passed since Mirai first exploded onto the scene, but the more things change, the more they stay the same. In January of 2018 a 21-year-old from Liverpool was sentenced to two years in prison for computer crimes including distributed denial of service attacks on global powerhouses including Skype, Google and Nintendo’s Pokemon.

In good company

Rare is the business owner or website owner that wouldn’t say they want to have plenty in common with Google or Skype. Unfortunately for most business and website owners, what they actually have in common with Google or Skype is that they’re at risk of incurring major damage to their brand reputation and user loyalty from DDoS attacks. With anything less than leading professional DDoS mitigation, this is the reality that will remain. Unfortunately.