Security Experts:

Three Reasons Mobile DDoS Never Materialized

In my previous SecurityWeek column “Where is the Android DDoS Armageddon,” I looked at the reports that showed that mobile DDoS just isn’t a thing. Malicious mobile malware (say that three times fast with a cracker in your mouth) is barely a thing, either, once annoyance adware is removed.

Mobile DDoS AttacksBut why aren’t the one billion Android mobile handsets being leveraged as attack clients? I put this question to Ken Scott, a ten-year veteran of DDoS defense, and Brian McHenry, a Security Architect, both with F5. Between them, they offered three main reasons: apps, better browser sandboxing, and service provider control. Ken Scott states:

“For my own experience in DDoS, I'd say the real reason there isn't a huge number of infections is that mobile phones are used to run apps as opposed to desktops running browsers. Browsers are exposed to many, many more sites that can infect them. Even if you just go to one site, their rotating ad network can infect you.

On the other hand, most apps are direct from client to the server with a much higher monetization value on mobile users; therefore you have less shenanigans in mobile ad infections.”

This makes sense when you think about it. When I load my United Airlines application on my iPhone, it is only contacting United Airlines services. The exposure is limited. I don’t use the browsers on my phone—they’re just so inefficient and clumsy compared to the desktop browsers. I suspect many other users feel the same way about their mobile browsers.

Ken also states that “[s]ince there's no shortage of Desktop and Wordpress-style server exploits with direct fiber links, there's no need to build a bot of phones.”

McHenry says that even users who do use their mobile browsers aren’t likely to get truly malicious malware because mobile browsers have been better sandboxed from the underlying operating system than their desktop counterparts. He elaborates, “It will be interesting to see how improvements in browser security and the deprecation of Java and Flash applets improves the infection rates, even on desktops. Downloading an .exe or .dmg/.pkg on a desktop is still a problem, but more easily contained and detected than with Java and Flash.”

Lastly, data connections from mobile handsets nearly always go through the carrier providers’ mobile core network before they hit the Internet. These networks, while not bulletproof, are at least under the control of a single entity. The carriers, after all, finally have enough visibility to start enforcing usage caps on individual handsets. This means that they may have enough visibility and control to stop a DDoS on a per-handset basis, if it ever comes to that.

So while we in the security industry had been busy getting our panties in a bunch about the coming Android DDoS explosion, it never materialized. DDoS continues to wax and wane in unpredictable cycles, but the ecosystem has evolved to keep it out of the mobile space.

At least, for now.

Related: Verizon 2015 DBIR: Don't Sweat Mobile and IoT

view counter
David Holmes is an evangelist for F5 Networks' security solutions, with an emphasis on distributed denial of service attacks, cryptography and firewall technology. He has spoken at conferences such as RSA, InfoSec and Gartner Data Center. Holmes has authored white papers on security topics from the modern DDoS threat spectrum to new paradigms of firewall management. Since joining F5 in 2001, Holmes has helped design system and core security features of F5's Traffic Management Operating System (TMOS). Prior to joining F5, Holmes served as Vice President of Engineering at Dvorak Development. With more than 20 years of experience in security and product engineering, Holmes has contributed to security-related open source software projects such as OpenSSL. Follow David Holmes on twitter @Dholmesf5.