Think DDoS Doesn’t Affect You? Think Again, Device Owners (and Think $)

Every time you turn around it seems as though there’s a new crisis, a burgeoning social issue, or another part of the world is in turmoil. As much as you may want to care about everyone and everything and every single issue, it’s simply impossible. Between terrorism, racism, misogyny, school shootings, volcanic eruptions, wildfires and global warming it can be hard to make room to fret about, say, plastic in the ocean. Even if you love dolphins. As a society we are reaching the upper limit of our ability to care.

So, it’s understandable if at some point you found out your smart devices are very likely contributing to the DDoS epidemic and you thought to yourself that’s too bad and then you did not think about it again. However, there is a good reason to reconsider any apathy you may have in regards to DDoS attacks: it turns out you don’t have to be on the receiving end of a DDoS attack to have it cost you your hard-earned money.

Unauthorized use

Device owners could find themselves paying up due to a distributed denial of service attack because of the very nature of these attacks. DDoS attacks are essentially involuntarily crowd-sourced cyber attacks. Cyber criminals employ malware to gain control over computers and – more frequently – unsecured or under-secured IoT devices all over the world, assembling said devices into botnets that are then used to smash targeted websites or online services with enough illegitimate requests or malicious traffic to cause serious performance issues, often leaving the victim offline.

Leave aside what DDoS attacks do to victim businesses and websites, for the time being. Forget the six or even seven-figure damages that can stem from these attacks as well as the dented reputation and degraded customer or user loyalty. Focus on the unwitting owners whose devices are being recruited into botnets by the hundreds of thousands and what could be happening to them.

Would you let someone you don’t know cook with your oven whenever they pleased? Do their laundry in your washing machine? Rinse off in your shower? No, you wouldn’t, and not just because it’s creepy for someone you don’t know to use your things. Using those things consume resources, and those resources cost money.

See where this is going?

Eye on Mirai

IoT botnets have become a tremendous problem for cyber security. As mentioned above, so-called smart devices tend to not be intelligently secured by either the manufacturer or owner, and botnet builders are having a field day making botnets of incredible sizes as a result. There is no way to mention IoT botnets without mentioning Mirai, the botnet that arguably brought distributed denial of service attacks into the mainstream by thumping famed security blogger Brian Krebs’ website, French web host OVH and the Dyn DNS service provider in short order, each record-setting attack bigger than the last – especially since in this case it’s one of those attacks that has led to the discovery of just how DDoS is draining the wallets of device owners.

The attack on the Krebs on Security website weighed in at a then unheard-of 620 Gbps which came courtesy of 24,000 smart devices ensnared in the Mirai botnet. It has been estimated that the cost of mitigating the attack eventually could have reached millions of dollars for the site’s hosting provider, and while that hideous number may be unsurprising to those familiar with DDoS attacks, what probably wasn’t expected was that the 77-hour attack was estimated by Berkeley-based researchers to have cost device owners nearly $324,000 in bandwidth and power. This works out to about $13.50 per device that owners had to pay to allow a criminal to commit a crime.

Taking action

Unless you’re pretty darn wealthy, your bills ballooning every time an attacker uses your devices to launch a distributed denial of service attack is a good reason to care about the DDoS epidemic. Fortunately, with a few steps you can keep your money in your pocket and help cut down on the rash of attacks ricocheting across the internet.

Firstly, if you can, change the default usernames and passwords on your devices to something much more complex. Secondly, if you have a firewall, get your devices behind it. Thirdly, check the vendor websites of your devices to see if any firmware updates have been issued. If they have been, install them, as these tend to be issued to deal with security vulnerabilities. Fourthly, check those default features to see if there are any you don’t want or need, like Universal Plug and Play. If there are, disable them. Follow these steps and you should be able to cross your IoT devices’ potential for illegal activity off the list of things you need to care about.