Can standards help prevent DDOS attacks or – is it beyond industry’s control?

By Dale Benton
We have seen the increase in DDOS attacks and witnessed the damage they inflict on Internet performance and server accessibility, negatively affecting o...

We have seen the increase in DDOS attacks and witnessed the damage they inflict on Internet performance and server accessibility, negatively affecting our business enterprises and our mission critical operations. One example from 2016 that had a major and far reaching impact, was the DDoS attack against Domain Name Service (DNS) service provider, Dyn.  How did that incident occur and could it have been prevented? Would conformance to existing standards have helped?

First, how did the Dyn incident cause such a large impact, preventing access to major internet services like Amazon, Netflix and others? The Dyn attack took advantage of a large number – some sources cite 10s of millions of devices connected to the Internet. In this case the devices were primarily consumer devices - the type that make up the ever expanding “Internet of Things”- devices such as printers, surveillance cameras, routers and even baby monitors that had been vulnerable to infection by the Mirai malware. This widespread infection was used to create a botnet that carried out the largest DDOS attack to date.        

The Mirai malware, which had been published by hactivists as open source shortly before the attack, scans for and infects vulnerable IoT devices using known and readily available passwords. Once a vulnerable device is found, the device is infected and becomes part of a Mirai “botnet”, which can then be used to launch DDoS attacks from millions of devices. Once activated the botnet then sent an estimated 1 terabytes / second to the Dyn’s DNS servers. Many major companies use Dyn for that translation, so when the botnet flooded Dyn with requests from infected devices, the legitimate requests to reach those companies were denied.

Would standards have helped mitigate this? Ultimately this attack was primarily a consequence of users not changing the default passwords on their devices once they were connected to the Internet. One might call this operator error – but it can also be tied to poor practices on the provider side by manufacturers not communicating the importance of changing default passwords. In other cases, manufacturers were shipping those devices with the well-known default passwords hardcoded in the firmware of the product. Consequently the operators could not change the password without getting a new product. In both cases, the devices were left vulnerable.

Could either of these causes have been prevented by conformance to security standards?

One standard that addresses these product integrity and supply chain security issues is the Open Trusted Technology Provider Standard (O-TTPS), recently approved as ISO/IEC 20243. It is a set of best practices to be applied throughout the product’s life cycle (design to disposal) – including supply chains – in order to reduce the risk of tainted (e.g. malware enabled or malware capable) and counterfeit components (hardware and software) from making their way into products that are connected to the Internet. This particular standard also has a conformance program that identifies Open Trusted Technology Providers who conform to the standard.

In the case of the Dyn incident, if the vendors of the IoT devices had followed O-TTPS’ requirements for vulnerability analysis and notification of newly discovered and exploitable product vulnerabilities, the vulnerability which allowed this massive botnet to be assembled would have been caught and the attack vector blocked.

So, can standards prevent DDoS attacks? We can’t prevent these attacks, but following standards for widely accepted standards and best practices for secure development and delivery can mitigate their effectiveness and limit the economic damage they cause. 

 

Sally Long, director of consortia services, The Open Group

Dave Lounsbury, CTO, The Open Group

 

The January issue of Supply Chain Digital is live!

Follow @SupplyChainD on Twitter.

Supply Chain Digital is also on Facebook.

Share
Share

Featured Articles

P&SC LIVE New York: Patricia Mendoza Rodriguez – VP

Patricia Mendoza Rodriguez, Vice President of Procurement at Reynolds American, will speak at Procurement & Supply Chain LIVE New York

One More Month to Go: Procurement & Supply Chain LIVE Dubai

Just one more month to go until Procurement & Supply Chain LIVE returns with Procurement & Supply Chain LIVE Dubai – 15 May 2024

Top 100 Women 2024: Taryn Thompson, Bank of America – No. 4

Supply Chain Digital’s Top 100 Women in Supply Chain honours Bank of America’s Taryn Thompson at Number 4 for 2024

EU Supply Chain Law: Key Supply Chain Consulting Firms

Sustainability

The Categories – Part 3: Procurement & Supply Chain Awards

Digital Supply Chain

Meet our Sponsors: Procurement & Supply Chain LIVE New York

Digital Supply Chain