In the last few years we have seen several high-profile Distributed Denial of Service (DDoS) attacks against political and financial targets. Many of us remember the attack against Occupy Central in 2014 and the attack against the Church of Scientology in 2008. The most famous DDoS attack may well be the Dyn attack from last October, which resulted in significant downtime for Twitter, GitHub, Amazon, Netflix, Pinterest, Etsy, Reddit, PayPal, and many other popular sites and services. Because so many popular consumer-facing sites were affected, a good portion of the world is now aware of what a DDoS attack can do.
The Dyn attack was significant for many reasons, including the fact that it was a record-setting event: traffic reportedly reached up to 1.1Tbps, which is nearly double the record-setting attack on Brian Krebs’ website a few weeks earlier. Shortly after the attack, Dyn issued a statement explaining that the company was hammered by “a sophisticated, highly distributed attack involving 10s of millions of IP addresses.” Subsequent analysis reveals that only about 100,000 endpoints on the Internet of Things (IoT) were used to initiate the attack. Most of these endpoints were part of the Mirai Botnet, which consists of devices like CCTV cameras, DVRs, and routers that have been infected by the Mirai malware that is now available to the public.
The 2016 attack against Dyn was a matter of IoT devices sending repeated DNS requests to the Dyn Managed DNS infrastructure. This gave a relatively small number of infected devices the capability to generate an unusually large amount of traffic against a target. During the attack, legitimate DNS requests went unanswered, which caused these legitimate sources of traffic to begin their retry efforts. In short, the botnet amplified it’s efforts with legitimate traffic, whose sources were operating exactly as designed. Dyn’s Scott Hilton provided a more thorough explanation here.
While various technology communities were still running post-mortems on the Dyn attack, another attack was launched against the country of Liberia.
The popularity and effectiveness of IoT attacks reveal two things very clearly:
- IoT devices are not secured. A recent survey found that 88% of IoT device owners are concerned that IoT devices may be accessible to hackers, but 50% of respondents have either not changed or can’t remember changing the default login/password to their home or business router.
- IoT firmware is not updated. Many manufacturers release updates on a regular basis to improve features and fix bugs and vulnerabilities. Installing these updates is often the only action an owner can take to prevent an attacker from using a known exploit to hijack a device.
Additionally, with the explosion of the Internet of Things, it is clear that the exploitation of IoT devices is just beginning. Among security experts, it’s widely believed that IoT botnet harvesting has been happening for some time. As we add more intelligence to our IoT devices, it’s increasingly important that we secure them properly. It’s not just a matter of service availability; these attacks are often used to distract victims from the true mission of the criminal, which may be to deploy malware to the network or steal data from the company. These attacks may also be part of an extortion attempt. Here’s an example from Brian Krebs:
“If you will not pay in time, DDoS attack will start, your web-services will go down permanently. After that, price to stop will be increased to 5 BTC with further increment of 5 BTC for every day of attack.
NOTE, i?m not joking.
My attack are extremely powerful now – now average 700-800Gbps, sometimes over 1 Tbps per second. It will pass any remote protections, no current protection systems can help.”
Infecting insecure IoT devices with readily accessible Mirai code is much easier than infecting a highly secure enterprise network. Instead of profiting from a ransomware attack, criminals try to profit by threatening to attack if the victim doesn’t pay.
The brute force leveraged by these huge botnets of poorly managed devices makes it increasingly attractive for villains to attack internet services, which have been created specifically to mitigate risk and eliminate failures. In the Dyn attack, for example, the idea was to break the unbreakable services. For many years, there was a consensus that the cost of attackers to build the type of botnet that would break a provider like Dyn would just be too high to waste on a brute force attack. That’s why big names like Twitter delegated some of their tasks to Dyn; it seemed like the safest course of action.
Now, everyone who was paying attention knows that even the safest course of action isn’t always safe. The attacks in 2016 showed us a new level of scalability and amplification that we just haven’t seen before.
A chilling aspect of these attacks is that the devices in the Mirai botnet did not even suffer from being misused, and can be used repeatedly without the owners ever noticing a problem. This means that the owners will not attempt to clean the device or reclaim full ownership. This is true for even savvy IoT device owners. If my smart TV participated in the attack, I would not have noticed and would continue to kindly provide it for the next wave. However, the owners of the devices in the Mirai botnet are victims of the attack, and could suffer the consequences:
- If your IP is identified as the source of an attack, you could be banned from certain websites and services, or investigated by authorities.
- Data transmitted or stored by smart devices could be collected and used by criminals. Banking credentials and other sensitive information may be compromised.
- One infected device could help a criminal explore your network and learn more about your connected home. Smart thermostats, locks, lights, smoke detectors, and more, could all be exposed to an attacker.
- Malicious software such as a ransomware variant that is successfully deployed on any device in the network could potentially be spread to other devices, including desktops.
What can you do?
Proactive management is the key to securing your own IoT devices. This means changing your credentials when you get a new device, locking down your devices and your network where you can, and updating your software when these updates are available. Put your devices on a maintenance schedule, similar to what you might have for your car or your work environment. Time to change your password at work? Change your passwords at home too. Time for computer updates? Check for updates to your router at the same time. Building habits like this can protect you from participating in the next attack.