On Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks were launched against the servers of Dyn, a major DNS host. DNS hosts operate in a manner akin to a switchboard for the Internet, helping to route domain names (e.g., dataprotectionreport.com) to underlying IP addresses (e.g., 104.28.6.115). By attacking Dyn, hackers were able to prevent end-users from reaching the websites and online services that relied on Dyn, including Netflix, Twitter, Spotify, SoundCloud, Amazon, AirBnB, Reddit, PayPal, Pinterest, CNN, Fox News, the Guardian, the New York Times, and the Wall Street Journal. In a statement, Dyn described the attack as “a sophisticated, highly distributed attack involving 10s of millions of IP addresses.”
Unlike a typical DDoS attack, which usually occurs when a website is intentionally overwhelmed by traffic from traditional computers, news reports suggest that the Dyn DDoS attack harnessed “Internet of Things” devices. According to one report, hackers used up to 100,000 Internet-connected devices that had been infected with malicious code to form a “botnet” and attack Dyn with Internet traffic as high as 1.2 Terrabytes-per-second, which reportedly is 40 to 50 times higher than normal. The incident is still under investigation by authorities.
Costs of the Attack
According to a 2014 report, a DDoS attack can cost affected companies up to $40,000 for every hour of the attack. Although Dyn was able to mitigate the incident within two hours of the attack, the brief period of service disruption affected many high-traffic websites. The significance of this attack lies in the fact that it did not target a specific company, but rather the DNS infrastructure that operates in a manner akin to a switchboard for the Internet. The temporary denial of service to both Dyn and the websites and online services that relied upon Dyn has already presented significant financial losses. However, Dyn customers that used multiple DNS providers reportedly faced only 10-15 minutes of downtime.
Our Take
Unprecedented cyberattacks of this scale and magnitude are a reminder of how fragile the Internet infrastructure can be without appropriate defenses. Cyberattacks, such as DDoS and ransomware attacks, can pose significant financial and reputational risks to affected companies. A proactive role in preparing to guard against cyberattacks is highly advisable.
One manner in which companies can help prepare against cyberattacks is to review their existing cyber defenses by mapping them against an existing cybersecurity framework, such as the NIST Cybersecurity Framework. A company can then seek to fill any gaps that it identifies in its assessment. Companies that are not yet prepared to conduct a full review of their cybersecurity practices may wish to consider other cybersecurity guidance from the FTC, FBI, DHS, HHS Office of Civil Rights, and the California Attorney General.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.
