IoT Ushers in a New Era of DDoS Attacks

By now, you’ve almost certainly heard about the crippling distributed-denial-of-service (DDoS) attacks launched against DNS service company Dyn last Friday (10/21/2016).  Throughout the day, Dyn reported three separate attacks, affecting several major websites.  Netflix, Amazon, Twitter, and Reddit were among the dozens of sites affected by the attack, suffering downtime that continued for several hours in some cases.

In the last month, the cybersecurity industry has witnessed the size of the largest DDoS attacks nearly double.  French web host OVH reported a record 1.1 terabyte-per-second (Tbps) attack on September 19^th 2016, and mentioned a second large follow-up attack of 901Gbps soon after.  OVH isn’t alone in reporting huge attacks recently: Investigative journalist Brian Krebs’ site suffered a sustained DDOS attack on September 20^th that clocked in at 665Gbps.  To put these numbers in perspective, the largest attack seen by Krebs’ hosting provider before this was only 363 Gbps, and the entire nation of Egypt had an international bandwidth of less than 1,000Gbps in June 2016.

Where are these attacks coming from?

Image via: Wikimedia Commons

Criminals are getting the hardware for these attacks from a massive botnet comprised mostly of Closed Circuit Television (CCTV) cameras, but also including DVRs, routers, and other internet-enabled devices.  As the Internet of Things (IoT) continues to grow, malicious actors on the web have access to a larger and larger supply of “smart” devices that can be infected.  Up to 46,000 cameras have administrative passwords that are hard-coded and unchangeable by the end user, an unfortunate security hole that allows attackers to take over without meeting any resistance at all.   Many other smart devices have never had their default password changed, and are easily accessible online. The two most widely encountered malwares used for building botnets, Mirai and BASHLITE, include a tool that identifies IP addresses that are likely to be IoT devices and then attempts to gain access by entering possible default passwords.

Once an attacker has infected an internet-connected camera or device, the machine is used along with other infected IPs in a DDoS attack. The devices flood websites with requests in an attempt to overwhelm systems and cause the site to become inaccessible to legitimate users.  Recently, a leaker released the source code behind Mirai, a particularly successful botnet malware.  While the Mirai leak may be interesting to security researchers, a surge in attack numbers are hinting that the tool is now being used by many more operators than before the leak.  Large-scale DDoS attacks will likely be seen much more often as knowledge of the leaked code spreads and improved versions of the program appear.

So what can you do?

There are some options available to defend from unwittingly becoming part of somebody else’s DDoS attack.  Botnet malware often exists in the host device’s memory, so the device should be rebooted to remove it.  Owners of internet-enabled smart devices should then change their default administrative passwords as soon as possible to avoid becoming re-infected.  All remote access to smart devices should also be disabled, though this may prove to be impractical to many users.  Of course, research should be done before buying an internet-enabled device to ensure that the administrative password can be changed in the first place.

The answer to DDoS attacks may also lie with Internet Service Providers.  ISPs have one helpful method of mitigating attacks: They can filter incoming traffic through a “scrubbing center” which analyzes and blocks garbage requests.  These scrubbing centers are expensive, however, and costs will most likely be passed on to customers.  They also are only used once an attack has been reported, which means that the victim’s service will likely suffer at least some downtime before the scrubbing center is implemented.

Unfortunately for the online world, DDoS attacks are going to continue to become more common as the Internet of Things expands and malware programs become easily found online by aspiring attackers. As always, network administrators should be on the lookout for strange traffic originating from their devices and ensuring that strong passwords are used throughout their organization.

If you have any questions or comments about DDoS attacks or anything else mentioned in this article, send an email to [email protected].