DDoS attacks and real-world consequences

DDoS attacks have long been known as some of the most devastating attacks on the internet. Even so, well, the consequences always seemed to boil down to dollars and cents. Even when a major attack costs a corporation millions of dollars there’s still a bit of relief in being able to say hey, it’s just downtime, it’s just money, what’s the big deal?

For most of history, DDoS attacks have been things that – other than that price tag – can’t escape beyond the boundaries of the internet to cause real-world chaos and consequences.

Times have changed, however. The world is more connected than ever and because of that connectivity it’s never been so at risk. The consequences of DDoS attacks are extending far beyond cyberspace, and it turns out downtime is a very big deal when it comes to infrastructure like a power grid.

Denial of essential services

A distributed denial of service attack or DDoS attack has been, for quite some now, a go-to attack type for cybercriminals of all kinds. When a website or online service shuts out legitimate users due to a DDoS-induced downtime it causes immediate frustration, an immediate loss of revenue, an immediate disruption to business processes and immediate attention on social media and in the traditional media as well as a long-term loss of loyalty in users and customers that could prove to be the most costly consequence of all. This makes DDoS attacks attractive weapons to businesses looking to gain competitive advantage, activists trying to make a political statement, “entrepreneurs” trying to make money from DDoS ransom notes, shady investors trying to manipulate cryptocurrency values, and of course professional attackers who do the dirty work for all of the above either with targeted contract attacks or basic DDoS for hire services.

Devastating though they may be for the victim (and costly, as mentioned, with per hour costs typically landing between $20,000 and $100,000) it wasn’t until the last few years that the world began to see what these attacks are truly capable of.

In January of 2016 the Ukranian power grid was hit with a distributed denial of service attack that left 100,000 people without power. The Estonian, Latvian and Lithuanian power grids have also been the targets of DDoS attacks. These attacks have been more limited in scope than the one that hit the Ukraine, and experts believe it is because these attacks are being used to probe for vulnerabilities that could be exploited in larger attacks. For all of the above attacks, the finger of blame has been squarely pointed at Russia, and there is every indication that Russia is ready and able to aim a massive attack at the US power grid.

The idea of a sustained attack on a power grid is a terrifying thing, not just because of the chaos it would cause in the economy and the disruption it would represent to every day life, but because if it were timed to coincide with a deep cold or other risky environmental condition, it could kill.

DDoS attacks have also been used stop or delay trains in both Sweden and Denmark, and security researchers fear for critical infrastructure entities including other transportation systems, oil and gas refineries, power plants, water and waste control facilities including dams and telecommunications. Critical infrastructure is vulnerable to these attacks in large part due to a process control software application called SCADA which represents a centralized target that requires as close to 100% uptime as possible.

As security researchers grapple with what can be done to stop these potential attacks, the rest of us have to grapple with the idea that a DDoS attack could cause a dam to fail, causing immense flooding and loss of life, or render critical communications systems in a petrochemical plant useless while malicious code attempts to trigger an explosion. This is the connected world we live in.

Acts of cyberwarfare

In 2016 the North Atlantic Treaty Organization (NATO) officially declared cyberspace a domain of warfare, meaning a cyberattack against a member nation could be considered an act of war by the organization. This paves the way for a response that could range from the retaliatory use of cyber weaponry all the way up to an armed response. Since the declaration, nations all over the globe have been rushing to update guidelines that clarify the justification for using cyber weaponry or responding to cyberattacks with force.

While the idea of an invasion in response to a DDoS attack could seem shocking on the surface, with the DDoS capabilities nation states have already demonstrated against critical infrastructure, these declarations and guidelines are becoming increasingly necessary as the so-called war of the future fought in cyberspace inches closer and closer to being the war of right now. With human lives in the balance, the devastation of DDoS attacks is no longer limited to downtime and dollars.