A recent, massive attack on a domain name service provider caused tweets, shopping, money transfers, and numerous other online activities to stop dead in their tracks. But what made this service disruption unique was that the hackers used ordinary household connected devices to carry out one of the largest denial-of-service attacks to date, and its scale and reliance on connected devices presented “another type of attack that even state-of-the-art organizations in terms of data security have had to deal with,” said Ed McAndrew, a partner at Ballard Spahr.

DDoS attacks, which “have been around for a long time,” have been successfully “dealt with [in] recent years as the technological controls and tools have gotten better” at preventing the attacks, “redirecting traffic, dumping malicious traffic – often to black holes – and maintaining better resiliency on systems so they don't go down while the DDoS is in play,” McAndrew said, adding “the computing power just hasn't been that great.”

Often these types of attacks are used as part of “a multifaceted cyber attack, incident or a campaign,” he continued, adding, “It’s not unusual to see a DDoS attack that functions as a smokescreen for some other type of nefarious cyber conduct” such as network intrusion or “the exfiltration of data from networks that have been compromised while the DDoS attack is in play.” The DDoS attack can divert resources and attention from other aspects of information security.

According to McAndrew, this attack was unique in at least two key ways.

“First, the scale of the attack was much greater than [what] we’ve previously seen, outside of an attack about a month ago on Krebs on Security,” he said. What also stands out is the method of attack, which involved the “weaponization” of “likely tens of millions of IoT devices . . . that have security features that are not particularly strong.”