The 1.2Tbps DDoS attack against Dyn is the tip of the iceberg. According to some sources, script kiddies used 100,000 infected devices to launch the attack against Dyn. Now for the scary part: if amateurs were able to cause this much damage with so little effort using just a small percentage of IoT devices, what happens when a well-funded, sophisticated attacker launches an attack using millions of infected devices? In the immediate future, you can bank on 10Tbps DDoS attacks becoming a reality. Not even Akamai can provide protection from that size of an attack.
IoT was supposed to be a boon for humanity, but it has turned out to be a nightmare for the DDoS mitigation industry. Things will get worse once 4k video goes mainstream. Just imagine the complete havoc when millions of IoT 4k-enabled devices launch a DDoS attack – the damage will be unprecedented.
Matthew Prince wrote an excellent analysis on how CloudFlare is able to mitigate large-scale attacks by leveraging the excess bandwidth capacity from their network. However, even CloudFlare will have trouble mitigating attacks that are multiple Tbps in size.
Even the mighty Akamai is at a clear disadvantage in mitigating large-scale DDoS attacks. Josh Shaul, VP of Web Security at Akamai, recently stated that the attack against Krebsonsecurity.com was “the worst denial-of-service attack we’ve ever seen” and “if this kind of attack is sustained, we’re definitely talking millions of dollars in cybersecurity services.” If you read between the lines, the VP is saying two things: 1) The 620Gbps attack on Krebs would have cost Akamai millions of dollars to defend and 2) A 620Gbps DDoS attack is big enough to give Akamai heartburn.
Therefore, Akamai has to ramp up capacity “significantly” if it wants to be the go-to company for DDoS mitigation among the Fortune 1000 and government sector. In other words, they will have to build a Prolexic #2 in-house, if you will. The Prolexic acquisition cost Akamai $370M.