By Karla Reffold

Gaining attention this week was the claim that 3 million toothbrushes were compromised to launch a distributed denial-of-service (DDoS) attack against a Swiss company. While this has now been claimed as a hypothetical scenario, it has put DDoS attacks in the news. Hypothetical cyber scenarios are troublesome as they can take attention away from more realistic risks.

The initial story claimed that the smart toothbrushes could be compromised and then used to flood a company’s website with traffic, resulting in a denial of service to that website. The combined power of these toothbrushes, or any smart device, could be harnessed to create a “botnet army” with a serious impact.

One of the more serious DDoS stories from this week involved the court system of Pennsylvania. The attack caused significant disruptions as it impacted the court’s payment and attorney filing systems. This demonstrates the effects of a cyber incident on public services.

DDoS attacks can be sophisticated. For example, in October 2023 Google mitigated the largest DDoS attack seen to date.¹ The attack leveraged a zero-day vulnerability and a (then) new technique known as Rapid Reset. DDoS attacks are often utilized by low-skilled, or low-resourced threat actors because of their simplicity. They are often used by hacktivist groups to cause disruption. However, there has been an increase in ransomware groups threatening DDoS attacks on their victims if payment has not been made.

As seen in Pennsylvania, DDoS attacks can cause serious disruption to business operations. Small and medium sized businesses are often vulnerable to these types of attacks. While historically they may not have been the target for groups that would leverage a DDoS attack, this is shifting due to the behavior of ransomware groups.

Companies concerned about DDoS attacks should consider the following cyber risk mitigations:

• Limit the attack surface, for example blocking traffic from unused ports
• Ensure you have redundant capacity available that could withstand an attack
• Implement rate limiting on vulnerable websites or applications
• Utilize DDoS protection that may be available from your cloud provider or website host

While we probably don’t need to worry about a toothbrush army, we do need to worry about DDoS attacks and the business interruption they can cause. Expect to see more of this as attackers look to leverage this risk.

1 https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps