The Internet of Things has potentially fueled one of the largest DDoS botnet attacks in history, compromising potentially over 1 million devices including cameras, lightbulbs, and thermostats to bring down the Krebs on Security Blog.
Brian Krebs, owner and writer of the Krebs of Security Blog was dropped by his provider Akamai after 3 days of successfully holding the attack at bay until it became too costly. So costly in fact, that Akamai reported the size of attack being nearly double that of anything they’d seen before, with traffic coming in at 665 Gigabytes per second.
As far as who executed such a feat and what methods they used to infect individual bots at such volume, Akamai confirmed that the traffic was legitimate, but will continue to investigate ways to fight attacks at that magnitude in the future.
Here are two aspects of the current state of information security that are highlighted by this incident, which I find extremely troubling.
On the front-end: we told you so.
Over a year ago, the analysts at Aberdeen decided to get behind a “unified voice” on the topic of the Internet of Things (IoT). The dominant position was that the value of the IoT – as seen in Aberdeen’s research, going back a few years is in the impact data can have across the business: driving intelligence, action, profitability, and customer satisfaction. For example, we love to write about working out how to service equipment in the field more efficiently based on new insights from IoT-based data.
It took some education and effort, but my fellow analysts finally allowed that the IoT could also have an impact on the organization’s risk. The point being that just like pretty much everywhere else, the focus is almost always on the positive, “rewarded” risks of enablement and upside – often without giving very much (if any) thought to the negative, “unrewarded” risks of disruption and downside.
For this reason, statements like the following – the lead from a Network World article on the unprecedentedly massive IoT-based DDoS attack against the web site of security reporter Brian Krebs – scream out for the world’s biggest “I told you so:”
“Securing the internet of things should become a major priority now that an army of compromised devices – perhaps 1 million strong – has swamped one of the industry’s top distributed denial-of-service protection services.”
Making something a priority only after something massively bad happens is not the way to make risk-based decisions. Assuming that the developers of IoT devices knew about the security-related risks – and that’s my point, everyone knew about them – then there are only a handful of things to do about them: accept them, ignore them (a negligent type of acceptance), try to transfer them to someone else, or take steps to manage them to an acceptable level. And if the risks are ignored or accepted, there should be a full accountability for that decision.
On the back-end: we’ll support you – until it costs too much.
DDoS protection for the Krebs site was provided by Prolexic (a unit of Akamai) – until the IoT-based attack grew too large and too sustained, at which time they made the business decision to stop providing protection.
Why? Because it cost too much.
Shame on Akamai. Providing protection only when protection isn’t needed – analogous to providing health insurance only when people aren’t sick – is contemptible. See it through, because you made a commitment. In the aftermath, reevaluate policies and relationships – yes, of course. But service providers shouldn’t abandon their customers in the middle of a crisis, regardless of how much they paid.