By Elizabeth Nwabueze

By YBS 999 – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=48128869.

On the morning of October 21, 2016, Dyn, an Internet performance management company, came under a global distributed denial of service “ DDoS ” attack.[1] This DDoS attack rendered websites like Twitter, Spotify, SoundCloud, Reddit and a host of other sites in the US and Europe partly or wholly unavailable for most of the day.[2] Besides proving the inherent fragility of the Internet to users and businesses alike, we also learned that that the toasters, DVRs, webcams, and other everyday devices, which make up the Internet of Things “ IoT ”, are dangerously insecure. The flood of malicious traffic aimed at Dyn network came mostly from secretly infected devices called “botnets.” Botnets (also known as a zombie army) is a number of hijacked Internet connected devices that are used to compute resources that can be used for any type of malicious purposes (including spam, viruses or DDoS attacks). Unlike previous botnet attacks, which are typically made up of computers, this most recent occurrence involved devices that are mostly unregulated. This poses many questions about how businesses should protect its websites against this type of attack and how businesses ought to mitigate potential losses after an attack occurs.

A DDoS attack, also called a Denial of Service, is when a multitude of systems are flooded with high traffic, which slows the targeted networks and make them unavailable to users.[3] These malicious attacks often bring down networks, web-based applications, or services on major traffic generators such as Yahoo!, eBay, CNN, Amazon.com, and Twitter. The costs of falling victim to these attacks are astounding, as some reports state that it may cost businesses over $300,000 an hour.[4] The first noticeable DDoS attack has been traced to 1999 and was targeted at the University of Minnesota.[5] In 2000, this was followed by the takedown of larger sites such as Amazon, eBay, and CNN.[6] After hackers and cybercriminals became more aware of the efficiency and potential profit from DDoS attacks, the prevalence of such attacks increased significantly. Additionally, the invention of automated Internet worms, a standalone malware that replicates it in order to spread to other computers or devices, opened the door even wider and empowered cybercriminals to effortlessly trigger larger-scale attacks.[7]

By 2010, attacks grew to the rate of 22,000 times the average bandwidth of an Internet user, which means that DDoS attacks grew in both frequency and severity.[8] DDoS attacks evolved into a political movement called Hactivism, where groups like Anonymous would lead organized campaigns against global payment sites like Visa, Mastercard, and Paypal in response to its termination of services with Wikileaks.[9] Today, cybercriminals have a diverse range of DDoS attack methods to chose from, but most attacks fall into two main categories: Volumetric attacks and Application-layer attacks.[10] Volumetric attacks make up 65% of all attacks, including the one last Friday. Application-layer attacks, on the other hand, make up 17% of all attacks and focus on web application packets as a way to upset the diffusion of data between hosts.

The federal government has already passed legislation penalizing these kinds of attacks. Under the Computer Fraud and Abuse Act (“CFAA”), a person is prohibited from “intentionally causing the transmission of a program, information code, or command, that would damage a protected computer.[11] A DDoS attack can be classified as transmission of a program, information code, or command. In 2011, the Sixth Circuit Court of Appeals concluded that DDoS attacks are a violation of violated the CFAA.[12] The court agreed that a labor union’s directed bombardment of Pulte’s sales offices and three of its executives with voluminous phone calls and e-mails impaired the integrity or availability of its data and systems–i.e., statutory damage.[13] In similar cases, the Third and Seventh Circuit also concluded that a transmission that weakens a sound computer system or diminishes the ability to use data or a system, causes damage and is a violation of the CFAA.[14] Most recently in 2013, 13 men have been charged for participating in a series of 2010 and 2011 organized DDoS attacks under the banner of the Anonymous hacktivist collective.[15]

So what this mean for this mean for the future of the Internet of Things (“IoT”)? And how can businesses protect themselves moving forward? First, the most recent attacks exposed the vulnerabilities of IoT devices. The extent of the attacks on Friday may result in more security standards and regulations of IoT devices and the companies that supply them.[16] Second, given the spontaneity of these attacks, companies should have mitigation strategies and services in place in the event of a DDoS attack. The following steps should help businesses protect their networks: prepare for an immediate response; start building and maintaining a safe and efficient cyber security workforce; educate employees about other cyber security incidents cyber risk and provide opportunities to share information with personnel about cyber risks; have an immediate response team with a main point of contact; retain relationships with third party contacts before breach occurs; consider cyber protection insurance; keep up with legislative disclosure requirements; and regularly check website for potential vulnerabilities.[17] Hopefully, after this widespread attack on largely visited websites legislators will respond in ways that will help reduce risks on both business and users.

[1] Tim Starks, Ramifications of the big DDoS attack, Politico,

https://www.politico.com/tipsheets/morning-cybersecurity/2016/10/ramifications-of-the-big-ddos-attack-217020 (last updated Oct. 24, 2016, 10:00 AM).

[2] DDoS on Dyn Impacts Twitter, Spotify, Reddit, https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit (last updated Oct. 21, 2016, 4:06 PM).

[3] What Is a DDoS Attack?, Verisign, https://www.verisign.com/en_US/security-services/ddos-protection/what-is-a-ddos-attack/index.xhtml (last visited Oct. 29, 2016).

[4] Andrew Lerner, The Cost of Downtime, Gartner, https://blogs.gartner.com/andrew-lerner/2014/07/16/the-cost-of-downtime (July. 14, 2014); NTT America, Successfully combating DDoS Attacks, https://www.us.ntt.net/downloads/papers/Successfully-Combating-DDoS-Attacks.pdf (Aug. 2012).

[5] Gary Genosko, The Case of ‘Mafiaboy’ and the Rhetorical Limits of Hactivism, The Fibreculture Journal,

https://nine.fibreculturejournal.org/fcj-057/ (2006).

[6] Stefanie Hoffman, DDoS: A Brief History, Fortinet, https://blog.fortinet.com/2013/03/25/ddos-a-brief-history (last updated Mar. 25, 2013).

[7] Id.

[8] Mcorley, A History of DDoS Attacks, Indusoft, https://www.indusoft.com/blog/2016/10/21/a-history-of-ddos-attacks (last Oct. 21, 2016).

[9] The History of DDoS Attacks as a Tool of Protest, Motherboard, https://motherboard.vice.com/read/history-of-the-ddos-attack (last updated Oct. 1, 2014, 8:25 AM).

[10] Calyptix, DDoS Attacks 101: Types, Targets, and Motivations, Calyptix, https://www.calyptix.com/top-threats/ddos-attacks-101-types-targets-motivations (Apr. 26, 2015).

[11] 18 U.S.C.A. § 1030 (West); see also Anthony Miller, Is DDoS Illegal Or An Act Of Protest?, https://ddosattackprotection.org/blog/is-ddos-illegal (last updated Feb. 4, 2014).

[12] Pulte Homes, Inc. v. Laborers’ Int’l Union of N. Am., 648 F.3d 295 (6th Cir. 2011); Shawn E. Tuma, Yes, Case Law Says It Really Is A CFAA Violation To DDoS A Website, https://shawnetuma.com/2013/10/09/yes-case-law-says-it-really-is-a-cfaa-violation-to-ddos-a-website (Oct. 9, 2013, 10:31 AM).

[13] Id. at 302.

[14] United States v. Carlson, 209 Fed. Appx. 181 (3d Cir. 2006); United States v. Mitra, 405 F.3d 492 (7th Cir. 2005).

[15] Mathew J. Schwartz, Operation Payback: Feds Charge 13 On Anonymous Attacks, DarkReading, https://www.darkreading.com/attacks-and-breaches/operation-payback-feds-charge-13-on-anonymous-attacks/d/d-id/1111819 (last updated Oct. 14, 2013, 9:41 AM).

[16] AT&T Cybersecurity Insights, The CEO’s Guide to Navigating the Threat Landscape, ATT,

https://www.business.att.com/cybersecurity/docs/vol4-threatlandscape.pdf (2016).

[17] Ralph Kroman, National Cyber Security Awareness Month: 10 Tips For Businesses, Lexology,

https://www.lexology.com/library/detail.aspx?g=427b6c3c-2f10-4bc9-8e84-10afaa5959af (Sept. 30 2016).