What enterprises can learn from the massive Dyn DDoS attack that crippled the Internet one week ago
The mammoth DDoS attack on Dyn, a major DNS host, affected users trying to access sites like Netflix, Yelp, and Twitter last Friday. But those were just a few of the sites affected - the ones that made headlines. And while many of us find it an inconvenience when we can’t binge on a little streaming, find the best cupcake shop to binge on a confectionery, or tell everyone about our latest binge, businesses find it costly.
Experts say the DDoS attack was the largest of its kind in history. The Mirai botnet was used to infect IoT devices such as digital cameras and then all those infected devices flooded Dyn with so much useless traffic that it shut down a large part of the Internet. I won’t go into the details of the Mirari botnet or how it works, but my colleague Chuck McAuley has, in a blog entitled: Mirai: A Botnet of Things. What I want to discuss is the impact a service disruption can have on a business.
Living in Louisiana for much of my life, I am accustomed to hurricane preparedness. My family would stock up on food, water, gasoline, and other basic necessities if we decided to ride it out. If it looked really bad or was expected to be a direct hit, we would evacuate. If we stayed, we expected to lose utilities. And when we stayed, disruptions to daily conveniences such as the grocery store being open or toilets flushing were anticipated. We would simply have a neighborhood party until services were restored (it’s sort of a cultural thing).
When you live on the Gulf Coast, disruption is expected when hurricanes make landfall. Today, there is time to prepare because hurricane tracking is pretty accurate. But it hasn’t always been that way. My grandparents had little if any notice when Hurricane Audrey made landfall. And while they didn’t live directly on the coast, they were caught off-guard when they woke up the morning of June 26, 1957, to find that evacuation was impossible because the streets were already flooded.
Indirect impacts felt by businesses who use cloud applications
When you woke up on Friday, October 21, 2017, were you caught off-guard? If your company relies on any of the directly affected web-based applications and services, I have no doubt that last Friday’s crippling DDoS attack affected your business in many different departments. I don’t think anyone saw the Dyn DDoS attack coming.
Gizmodo published a list of websites their readers had trouble accessing. They listed 85 companies directly affected, ranging from news outlets and social media sites to web-based tools businesses use daily. After careful inspection of the sites mentioned, I started reading about user experiences during the event to better understand what it was like to have some of these applications down. It became apparent that organizations who might not have been affected directly, may have been affected indirectly – at least to some degree.
I have compiled a list, sorted by company department, of some of the web-based apps affected and have used my own experiences that day or the experiences of others to illustrate the possible impact. Links to tweets from the directly affected company and the replies are included. However, since Twitter was also affected, data was limited.
Product Development and Project Management
- Teams that collaborate and manage projects using Basecamp could have been in the dark on what they should be working on, when things were due, and what needed to be finished.
- Businesses that share files using Box may have been unable to access some of their documents.
- Groups hosting an event through Eventbrite may have missed ticketing opportunities.
- Companies needing to send messages to their database with ConstantContact may have been unable to do so.
- Websites using Wufoo forms could have lost new leads.
- Companies looking to hire talent may have been unable to use Indeed to find candidates.
- Survey deadlines probably had to be extended or survey analysis delayed for companies using Qualtrics and Survey Monkey.
- Accepting payment for goods or services with PayPal was spotty.
- Businesses using Shopify may have lost sales opportunities.
- Companies using Intercom may not have been able to communicate with website visitors, engage customers with email, or answer customer questions.
- Sales staff could have been slowed if they used Zoho CRM for leads, prospects, and customers.
- Companies and freelancers using Freshbooks may have been unable to send invoices or manage their books.
These scenarios range from a mild nuisance to a real problem. Some users were patient while others expressed strong emotions. It appears that all of the directly affected companies were doing everything possible to restore service as quickly as possible. But, they were limited in what they could control. It does not appear that the DDoS attack went after any of these web-based companies specifically, and the nature of the attack seemed to be focused on service disruption rather than data breach.
What enterprises can do to prepare for the next DDoS attack
When a hurricane approaches, businesses in its path start preparing for the worst. They board up windows, raise furniture off the ground, protect assets, move data offsite, and start executing their disaster plan. After Hurricane Katrina hit New Orleans in August 2005, the effects were felt by businesses and government agencies all along the Gulf Coast. Many had never seen devastation like that before. Everyone started asking, “What if that happened here?” I was a system administrator in Lake Charles, a city about 200 miles west of New Orleans, and almost immediately I was asked to help formulate a disaster plan for our IT assets and data. A month later, we put the plan into action when Hurricane Rita hit us. I fled to Oklahoma and our agency was disrupted for 2 weeks as the entire city was essentially shut down.
The next DDoS attack could strike anywhere at any time. Enterprises should be asking, “What if that happened to us?” Creating a plan before it happens makes it easier to handle when it does happen. It doesn’t take a direct attack to experience a disruption in services. Develop a contingency plan for service disruptions that are out of your control too. And if you want to see how your own network or data center will respond if you experience a direct DDoS attack, test it with the Ixia Security Testing Platform.