Hackers are leveraging IoT connected devices in massive DDoS Attacks.
Box, CNN, Etsy, Guardian, HBO Now, PayPal, Pintrest, Twitter, Fox News, Shopify, New York Times, BBC, The Wall Street Journal and Zillow. The list reads like a who’s who of the world’s most popular websites, and all were among the victims of Friday’s massive internet shutdown.
While it is still unclear where the attack originated, what is clear is that internet-based technology is expanding so rapidly that the security needed to protect it has been left behind. As the internet only continues to evolve at breakneck speed, hackers are evolving right along with it, leaving everyone to grapple with a technological void that is all too easily exploited.
“DDoS attacks have been growing over the last 10 years and this leveraging of IoT devices is only going to exacerbate the issue.”
Richard Meeus – technical director EMEA at NSFOCUS
What caused the shut down?
Friday’s wide-scale disruption was due to a distributed denial of service (DDoS) attack – in particular an attack aimed at the servers of Dyn, a popular DNS host.
To understand how a DDoS attack is able to disrupt so many websites, it is important to understand the function of domain name system servers (DNS servers).
Essentially, DNS servers can be seen as today’s modern switchboard operators. These servers maintain a directory of domain names and then translate these names into Internet Protocol (IP) addresses. This is necessary because while domain names are easy for people to remember, computers access websites based on IP addresses. So, when a user types in a web address like mice-360.com, the internet service provider views the DNS associated with the domain name, which translates it into a computer friendly IP address (220.127.116.11) and then directs the internet connection to the appropriate site.
When a DDoS attack occurs, an attacker bombards the switchboard operators (DNS servers) with a barrage of garbage data. The DNS server becomes overwhelmed with the junk data, can’t handle the torrent of incoming connections and eventually slows down or even shuts down.
In order to unleash a DDoS attack on DNS servers, hackers have traditionally used multiple compromised computers. By infecting private computers with malicious software, hackers essentially create a large private army of computers knows as a botnet. Most of the time, the individuals with computers that have been conscripted into service have no idea that their computers are part of a malicious army of attackers.
The severity of a DDoS attack depends upon the number of devices an attacker can connect with and enlist. Up until recently, most hackers were limited to infecting personal computers. But with the immense popularity of the Internet of Things (the average North American home now has 13 internet connected devices) the pool of potential devices that can be recruited into a botnet or zombie army is exploding.
“The size of these DDoS attacks has increased so much lately thanks largely to the broad availability of tools for compromising and leveraging the collective firepower of so-called Internet of Things devices.”
Krebs on Security
As long as the IoT lacks security, DDoS attacks will only become more brutal.
The Internet of Things is exploding, connecting everything from security cameras, to cars and medical devices. According to Gartner, there will be an estimated 34 billion devices connected to the IoT by 2020. With billions of individuals given accesses to unimaginable levels of processing power, we are faced with the fact that this immense and rapidly developing industry lacks a basic IoT security solution.
Until the market adopts a security solution, hackers will continue to exploit IoT connected devices in order to create massive DDoS armies of unprecedented size and scope. Not only will attackers have the power to recruit millions of devices to send garbage data to DNS servers, it will take organizations much longer to resolve any DDoS attack. Instead of being attacked by millions of infected personal computers, organizations can now be attacked by billions of connected devices, making it nearly impossible for an organization to cut off attacks originating from so many different places.
Connected Devices (billions)
Source: Gartner, BI Intelligence
At the end of September OVH was the victim of just such an IoT based DDoS attack, the largest to date until Friday’s attack, with peaks of over 1 Tbps of traffic. OVH founder, Octave Klaba, said that hackers used IoT devices, such as hacked CCTV cameras and personal video recorders, to attack the organization. “This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn,” tweeted Klaba.
In an interview with SC Magazine, Richard Meeus, technical director EMEA at NSFOCUS, stated the following:
“DDoS attacks have been growing over the last 10 years and this leveraging of IoT devices is only going to exacerbate the issue. Only a few years ago, the only devices in your home were your laptops, tablets and phones – now add smart fridges, thermostats, DVRs, security cameras and even light bulbs. This increase in devices, that are running cut-down versions of standard operating systems, are made to be very simple for anyone to use. Unfortunately, this often means trading security for instant out-of-the-box satisfaction and thus passwords are left at default or communication is left unencrypted. This means that hackers can gain access and load DDoS tools onto the devices, and you are now a member of a botnet.”
Krebs on Security, also the victim of a recent DDoS attack, weighed in on how the IoT is enabling hackers to increase the size and impact of their DDoS attacks.
“The size of these DDoS attacks has increased so much lately thanks largely to the broad availability of tools for compromising and leveraging the collective firepower of so-called Internet of Things devices — poorly secured Internet-based security cameras, digital video recorders (DVRs) and Internet routers. Last month, a hacker by the name of Anna_Senpai released the source code for Mirai, a crime machine that enslaves IoT devices for use in large DDoS attacks. The 620 Gbps attack that hit my site last month was launched by a botnet built on Mirai, for example.”
A collective known as “New World Hackers” has taken responsibility for Friday’s massive DDoS Attack.
A Dark Future?
As is the case with most cyber attacks, the hackers are typically in it for two reasons, either for a payout or to cause trouble (as in the case of Russia hacking the DNC in order to influence US elections).
While not yet verified, New World Hackers told an AP reporter via Twitter direct message exchange that they are responsible for Friday’s DDoS attack and that the collective is not motivated by money. In fact, the collective stated that it did not have anything personal against Dyn or any of the sites impacted by the attack. Instead, the hackers said that the attack was merely a test, claiming the next target will be the Russian government for alleged cyber attacks against the United States earlier this year.
While who is responsible for Friday’s massive DDoS attack may never be entirely confirmed, what is confirmed is that unless the IoT market adopts a true cybersecurity solution, the DDoS arms race will only continue to escalate, increasingly putting the entire internet at the mercy of malicious hackers.