The holiday season is upon us, and the biggest days for retailers to make their 2016 plan commitments is coming. The popularity of online shopping always seems to claim a few retailers every year who did not plan capacity accordingly. We’ve seen both Black Friday and Cyber Monday shut down websites in the past, and even though elastic computing has grown in popularity, we can expect one or two that under planned their capacity for this year.

my bank sucks, by B Rosen

my bank sucks, by B Rosen

But this post is not about poor IT capacity planning—it’s about the latest string of Distributed Denial of Service (DDoS) attacks that has claimed a number of prominent web properties over the last month. Internet of Things (IoT) devices, when improperly designed, can be leveraged to create armies of Internet bots that can flood sites with traffic on demand. Marai is the latest botnet that threatens to take down any network due to the sheer volume of traffic it generates. From Krebs to Netflix, this new botnet is getting lots of publicity after its creators released the source code in late September, allowing anyone to modify, improve, and deploy its code for good and evil. I’d imagine the controller of such a botnet could inflict quite a bit of real economic damage to a retailer depending on its networks for every day retail operations.

Think for a second about your favorite (or perhaps least favorite) retailer and what the CIO is doing right now to prepare. His teams are finishing last minute infrastructure changes, applying patches, and completing any task needed to ensure that they can enter the freeze from a relatively defensible position and support the business throughout the holiday season. CIOs should also have a solid anti-DDoS vendor in place that could mitigate a large-scale DDoS attack from Marai to be launched from Nov 25-28 of this year.

Depending on who controls the majority of these vulnerable devices at that time, it’s not unreasonable to expect that the botnet could be directed towards both retail and financial services companies that fuel the global economy. If victims cannot successfully mitigate a DDoS attack of the scale we are now seeing, the lack of purchases could mean millions or even billions of dollars of lost opportunity for key retailers.

Perhaps this is the first time in our history where the threat of economic damage from thousands of smart toasters is real.

This post originally appeared on