Leading up to the U.S Presidential Election last week, the oracles of the security world were warning of all the possible types of attacks we might see during the day of decision making. We were preparing for attacks against voting machines, disinformation spread through social media platforms, more email leaks, and above all Distributed Denial of Service (DDoS) attacks against everyone from the White House to news sites around the globe. Yet none of these seem to have materialized.
Akamai paid special attention to nearly 20 different news organizations and more than 100 other properties to look for DDoS and application layer attacks during the election. While we saw a number of attacks against these properties, the volume we recorded was well within the norms for all of the properties and there was no evidence of anything other than normal, day to day, malicious attack traffic. However, that doesn't mean the protections these customers put in place weren't appropriate.
The threat landscape for DDoS is changing rapidly. The Internet of Things (IoT) has created a target-rich environment for attackers to use as fuel for their DDoS engines. The Kaiten botnet uses routers and other devices, while the Mirai botnet uses IP connected cameras and DVRs to create attacks that have reached over a Gigabit per second (Gbps). Not only is Mirai capable of some of the biggest attacks ever seen, it's also capable of reaching those volumes with minimal warning or warm up.
Many organizations think they know what the DDoS landscape is like, but if that's based on information that's months old, it's out of date. Every aspect of security changes as new vectors are found or created, and right now the DDoS landscape is changing faster than anything else. Because of the release of the Mirai source code at the beginning of October, because of the prevalence of IoT devices, because of the ubiquity of high speed internet access around the globe, we are only at the beginning of a sea change of DDoS attacks.
The release of Mirai is not something that can be rolled back. The code is available and everyone from amateurs to professionals who want their own DDoS botnet are looking at the code to create a bigger, better, newer version. Millions of IoT devices are already on the market, many with default passwords baked into their software with no way to patch. This means these devices are vulnerable to login abuse [and cannot be patched to make up for poor coding practices of their developers]. Vendors have to start being responsible and develop more secure software for these devices - something that's been virtually ignored because security of the product is secondary to cool new whistles and bells. The connectivity of the average home and business is only going to continue to accelerate, giving botnets more capability to attack with.
While we didn't see significant attack traffic during the elections, it doesn't mean the threat isn't still out there. It's only a few days until the real start of the holiday shopping season, with Black Friday and Cyber Monday right around the corner. The primary difference between the election and these shopping days is that there are very real, very significant amounts of money involved. Having a site down or slowed even a little on these upcoming days is something that can break a business' sales numbers for a whole year. This is not only the time of greatest opportunity for merchants, it's also the time of greatest vulnerability.
Hoping for the best, is a nice way to look at life, but it's hardly a good strategy for a news site on the biggest night of their year. Similarly, it's not a strategy many merchants are going to be following for the holiday season. We were lucky that there were no significant attacks during the election time frame. But it doesn't mean we were mistaken to prepare for the worst.