Hacked IoT Devices Unleash Record DDoS MayhemFirepower Fueled by Vulnerable Internet of Things Devices
An army of networked devices - webcams, digital video recorders, CCTV cameras and routers - has been unwittingly drafted into doing electronic battle via a type of attack that has existed since the early days of the internet, but which has reached new levels of intensity in recent weeks.
Website operators and companies regularly fight off distributed denial-of-service attacks, which seek to take down services through overwhelming or else highly pinpointed barrages of traffic. DDoS attacks have typically been launched from compromised desktop computers. But in a development that experts have long forecasted, hackers are increasingly using so-called internet of things devices to launch record-breaking attacks.
The assaults are asymmetrical: The cost of launching attacks are often trivial compared to the cost of defending against them. While large organizations, such as financial service companies, are usually ready for DDoS attacks, many are not, and the unprepared often find themselves scrambling in panic as their websites remain unavailable.
The attacks highlight structural weaknesses in the internet - now essential to global commerce and business - which wasn't designed to defend against this type of abuse.
"Never before in human history have so many people across the world been utterly dependent upon such a fragile, brittle technology as the internet," says Roland Dobbins, a principal engineer at Arbor Networks in Singapore.
The consultancy Gartner predicts that 6.4 billion internet-connected devices that fall into the IoT category will be online this year. By 2020, 25 percent of cyberattacks within enterprises will involve IoT devices, but just 10 percent of IT security budgets will be dedicated to safeguarding them, Gartner forecasts.
The most prominent apparent IoT attack of late was directed against the website of cybersecurity journalist Brian Krebs, whose exposés on the cybercrime underground have made him a frequent target of online attacks and other harassment. His site was hit Sept. 20 with 620 gigabits per second of traffic in one of the largest-ever DDoS attacks ever seen. By comparison, most DDoS attacks are in the range of 1 Gbps to 15 Gbps.
The network security company Akamai had protected Krebs's site, but in light of the size of the attacks, it quit providing pro bono services to him. Krebs later secured support from Google's Project Shield, which helps protect journalists from DDoS attacks. One company told him that protecting his site would otherwise have cost $150,000 to $200,000 a year.
The IoT devices apparently marshaled into the attack against Krebs and other gaming sites in recent weeks are prime candidates for criminals to draft into service because they're poorly secured, rarely monitored by users and may have known vulnerabilities that never get patched - or for which no patches are available - even though such devices often remain internet-connected for years.
DDoS Attacks Pummel French Hosting Firm
The attack against Krebs's site wasn't isolated. On Sept. 19, by Octave Klaba, CTO of Paris-based internet hosting firm OVH, reported that a botnet comprising 146,000 hacked digital video recorders and internet-connected cameras was targeting it with massive DDoS attacks. Klaba said the attacks occasionally reached 100 to 800 Gbps, although were more often in the 30 to 100 Gbps per second range. He also believes that the attacks have been launched by the same botnet that targeted Krebs' site.
Klaba warned Sept. 26, meanwhile, that the botnet had grown to comprise 168,000 hacked devices.
+6857 new cameras participated in the DDoS last 48H.— Octave Klaba / Oles (@olesovhcom) September 26, 2016
Pop a Linux Box
IoT devices typically run embedded Linux - an open source operating system. Many such devices have become commoditized - competing for sales based solely on their cost. As a result, many manufacturers focus on bringing new devices to market quickly rather than maintaining older devices or building in ways to keep them updated and secure.
"Businesses may be more focused on income rather than security of the internet of things," says Shui Yu, a senior lecturer at Deakin University in Australia who is on the editorial board of the IEEE Internet of Things Journal. "When attacks become a big concern to the public, then the manufacturers may pay more attention to security."
Too often, remote hackers can easily break into IoT devices. Devices often ship with remote login protocols - typically via telnet or SSH - enabled by default, as well as default passwords. Such passwords are often easy to guess, and lists of manufacturers' most commonly used passwords abound on hacking forums.
Once an attacker finds a potentially vulnerable device via internet scans, it's only a matter of logging in and then uploading malware to the device. In a recent report, Symantec described a dozen of the most common malware families targeted at embedded Linux OSes.
"The current IoT threat landscape shows that it does not require much to exploit an embedded device," Symantec says "The majority of the threats simply take advantage of weak built-in defenses and default password configurations in embedded devices."
The compromised devices are corralled into a botnet, which is the term for a network of compromised devices. Once a botnet is created, hackers rent their networks, which are often advertised in dark web forums as "booter" or "stresser" services.
Many manufacturers never develop or release security updates for devices after they reach market. In fact, some devices can't be upgraded at all. Users rarely interact with IoT devices, aside from setting them up, and they also may never notice any decline in performance relating to a malware infection, as they might, for example, if their desktop computer had been infected with malicious software.
"The attackers have realized this is really the most efficient way to build a highly scalable DDoS cannon," Arbor's Dobbins says.
Although the DDoS methodologies and use of IoT devices is not new, "the fact that the attackers have now upped the game in terms of their total capacity that they can bring to bear is a significant change in the threat landscape," he says.
DDoS: Noisy Attacks
DDoS attacks are noisy - it's typically easy to see where they're coming from and where they're going. Network operators can quickly isolate which internet service providers are carrying attack traffic. Once contacted, the ISP can cut off access to the offending subscriber.
But notifying ISPs is largely a pick-up-the-phone type of process these days, says Mike Smith, Akamai's CTO for security for Asia-Pacific and Japan. That notification method quickly becomes unfeasible if millions of devices around the world, hosted by many different providers, are sending attack traffic. Accordingly, he says that process is in desperate need of automation.
"We're relying on people who have connections with each other to solve the problem," Smith says. "That's worked so far, up to a point, but I think we're growing beyond our ability to effectively manage that."
The other large problem involves remediating infected devices. Many ISPs will notify customers suspected of running malware-infected PCs, which may reveal themselves once attackers begin tapping them to send voluminous quantities of spam. But cleaning up such machines is still a challenge.
Jaeson Schultz, for example, used to manage SpamCop, a spam monitoring and reporting service. He says consumers would insist that their computer was not infected - even if it clearly was - thus demonstrating the difficulty in persuading people to take action.
"Now, somebody's going to infect a fitness tracker or a smart home door lock, and these people are going to have no clue that this is a rogue device on their network," says Schultz, who's now a technical leader with Cisco's Talos research group. "We're not very far away from seeing a lot more of that."
A broader solution would involve identifying the groups who launch or enable these attacks and then arresting them, Akamai's Smith says. In the past, law enforcement has pursued especially flagrant cyberattack groups, such as Anonymous or the Lizard Squad, whose public boasting drew worldwide attention. But that's a time-consuming and reactive type of intervention - one that may not always successfully prevent or disrupt either today or tomorrow's IoT attackers.