Security researchers at Netflix unleashed a unique kind of DDoS attack that turned its digital defenses against itself, highlighting what could be an industry-wide flaw among major companies offering web-based services.
DDos—or Distributed Denial of Service—attacks usually work by flooding websites or services with fake traffic requests until the sites freeze up or crash. Companies, like Netflix, have systems in place to deflect DDoS attacks and handle the surge of traffic thrown their way.
According to Wired, Netflix security engineer Scott Behrens dreamed up a nightmare version of a DDoS that attacks through Netflix’s API, acting like a gateway designed to give permission to certain companies’ requests. Behind the API, Netflix’s DDoS defenses are non-existent and Behrens found this out by attacking the system himself.
Although its not commonly deployed, an attack like this could not only take down Netflix but some of the biggest internet service providers that use similar APIs, according to Wired. On Friday, Behrens released two open-source so that other companies could test their systems for similar flaws.
“It’s a cat-and-mouse game, so we just continue to try to find ways to make our testing more sophisticated and then build in stronger remediations,” he told Wired.
This article was featured in the InsideHook newsletter. Sign up now.
