Can standards help prevent DDOS attacks or – is it beyond industry’s control?

By Dale Benton
We have seen the increase in DDOS attacks and witnessed the damage they inflict on Internet performance and server accessibility, negatively affecting o...

We have seen the increase in DDOS attacks and witnessed the damage they inflict on Internet performance and server accessibility, negatively affecting our business enterprises and our mission critical operations. One example from 2016 that had a major and far reaching impact, was the DDoS attack against Domain Name Service (DNS) service provider, Dyn.  How did that incident occur and could it have been prevented? Would conformance to existing standards have helped?

First, how did the Dyn incident cause such a large impact, preventing access to major internet services like Amazon, Netflix and others? The Dyn attack took advantage of a large number – some sources cite 10s of millions of devices connected to the Internet. In this case the devices were primarily consumer devices - the type that make up the ever expanding “Internet of Things”- devices such as printers, surveillance cameras, routers and even baby monitors that had been vulnerable to infection by the Mirai malware. This widespread infection was used to create a botnet that carried out the largest DDOS attack to date.        

The Mirai malware, which had been published by hactivists as open source shortly before the attack, scans for and infects vulnerable IoT devices using known and readily available passwords. Once a vulnerable device is found, the device is infected and becomes part of a Mirai “botnet”, which can then be used to launch DDoS attacks from millions of devices. Once activated the botnet then sent an estimated 1 terabytes / second to the Dyn’s DNS servers. Many major companies use Dyn for that translation, so when the botnet flooded Dyn with requests from infected devices, the legitimate requests to reach those companies were denied.

Would standards have helped mitigate this? Ultimately this attack was primarily a consequence of users not changing the default passwords on their devices once they were connected to the Internet. One might call this operator error – but it can also be tied to poor practices on the provider side by manufacturers not communicating the importance of changing default passwords. In other cases, manufacturers were shipping those devices with the well-known default passwords hardcoded in the firmware of the product. Consequently the operators could not change the password without getting a new product. In both cases, the devices were left vulnerable.

Could either of these causes have been prevented by conformance to security standards?

One standard that addresses these product integrity and supply chain security issues is the Open Trusted Technology Provider Standard (O-TTPS), recently approved as ISO/IEC 20243. It is a set of best practices to be applied throughout the product’s life cycle (design to disposal) – including supply chains – in order to reduce the risk of tainted (e.g. malware enabled or malware capable) and counterfeit components (hardware and software) from making their way into products that are connected to the Internet. This particular standard also has a conformance program that identifies Open Trusted Technology Providers who conform to the standard.

In the case of the Dyn incident, if the vendors of the IoT devices had followed O-TTPS’ requirements for vulnerability analysis and notification of newly discovered and exploitable product vulnerabilities, the vulnerability which allowed this massive botnet to be assembled would have been caught and the attack vector blocked.

So, can standards prevent DDoS attacks? We can’t prevent these attacks, but following standards for widely accepted standards and best practices for secure development and delivery can mitigate their effectiveness and limit the economic damage they cause. 

 

Sally Long, director of consortia services, The Open Group

Dave Lounsbury, CTO, The Open Group

 

The January issue of Supply Chain Digital is live!

Follow @SupplyChainD on Twitter.

Supply Chain Digital is also on Facebook.

Share
Share

Featured Articles

Three ways to future-proof your supply chain

The global supply chain is facing unprecedented challenges. But, these hurdles can be overcome with resilience, agility, and a commitment to sustainability

Ivalua: moving towards a net zero supply chain

Join our webinar with Ivalua on 20th September to learn more about how you can achieve a Net Zero supply chain - register today…

The importance of managing risk in the supply chain

Avetta urges companies to prioritise eliminating cybersecurity risks, which could otherwise have devastating effects on their supply chain

Russian invasion slows as tech supply chain fractures

Technology

Chris Caplice - academic who helped make freight a science

Logistics

News round-up: Supply chain, logistics and procurement

Digital Supply Chain