The Good, the Bad and the Ugly – DDoS Attacks in the Era of IoT

CCTV_Cameras

Starting September 21, renowned security blogger Brian Krebs came under what would turn out to be one of the largest DDoS attacks to date. With the attack reportedly reaching a peak 620 gigabits per second (Gbps), and being sustained over a number of days. It took a significant toll, and in the end forced the reporter to choose between changing hosts or shutting his blog down completely.

It appears that the Internet of Things (IoT)played a prominent role in this DDoS attack, and is seen as having an increasing role in DDoS attacks overall. On the macro level, the IoT brings with it good. It provides us new services that improve our everyday lives. However technology has its bad side, in this case it is the inherent weakness built into the IoT by virtue of little, even non-existent security.

The ability to conduct DDoS attacks is premised on a hacker’s ability to infect a large number of endpoints, turn the average computer into a zombie, and use it in a botnet army. While there are numerous methods for infecting computers from phishing schemes such as using malicious links to drive-by downloads, infected USB sticks and more, it still requires both cost and effort to build a botnet, add to its ranks, foster its growth, and conduct the attacks themselves.

This is because most computer endpoints have some form of anti-virus or anti-malware technology on them with varying degrees of effectiveness, and it typically requires human intervention to open the door and infect the endpoint. The birth and ongoing development of IoT is changing that equation. Most IoT devices have no built-in security besides a password, and as Imperva discovered while researching an attack conducted via IoT devices -CCTV cameras – the devices were all accessible via their default password. Furthermore, these devices typically provide remote access to users through default ports such as HTTP:80 that are easily discovered and which link the public domain to the local CCTV network.

Many IoT device users don’t change default credentials, which makes the work of bad actors much easier. To discover the IoT devices, hackers need only use a search engine for internet-connected devices such as Shodan. Next, they attempt to access the devices with default credentials or use brute-force attacks to try and compromise the devices and infect them with malware.

In the case of CCTV devices, they are usually managed by a stand-alone DVR server which typically doesn’t have anti-malware protection. So once infected, the likelihood of the malware being removed from a DVR server is close to zero. Additionally, once installed these devices are almost never updated (OS fixes, BIOS updates, etc.). This all results in a very stable and cost-effective botnet. It is also likely that the outbound connection of these servers has a reasonably high bandwidth (greater than 1Mbps), contributing to the ability of hackers to ramp up the size of their DDoS attacks.

And then there’s the ugly. The Imperva report noted above mentions that in 2014 there were 245 million surveillance cameras operating around the world. Forecasts for the coming years project anywhere between 10 and 28 billion connected devices will come online by 2021. The proliferation of IoT devices and apparent ease of their compromise is making them an effective tool in the arsenal of hackers.

As billions of IoT devices come online in the years ahead each with their own security challenges, the drafting of these devices into botnets will surge. What we are seeing now, could be just the tip of the iceberg. This reduces the cost of launching and maintaining DDoS attacks while contributing to their size, and making it more challenging for DDoS protection providers to defend against them. It could be speculated that the record-breaking size of recent DDoS attacks may be at least partially attributed to burgeoning adoption of IoT devices and their availability to hackers who use them in these attacks. Further adding to this scourge is another threat, that of infected mobile devices as reported in this Imperva blog.

The result is clear; attacks are scaling larger on an almost daily basis due to an expanding mix of available devices from which to launch them. Even as these words are being written, today’s “Largest DDoS attack ever” has become a footnote, with a just off the presses report of a 1 Tera bit per second (Tbps) DDoS attack of French web hosting firm OVH.com, that’s 66% larger than the attack on Krebs.

Concern has increased to the point that Homeland Security has just issued a call to action on IoT security. In the meantime, Brian Krebs has apparently found sanctuary thanks toGoogle’s Project Shield.

The challenge of DDoS protection providers is to stay ahead of bad actors and scale to meet the needs of ever increasing and sophisticated attacks, while being able to continue to protect their customers at a reasonable price, under any conditions. The increasing size of IoT will likely play an ever increasing role in the epic battle between hackers and defenders. The stakes as we can see are growing. Today hackers can shut down a journalist. Tomorrow they’ll be able to shut down hospitals, power plants, communications infrastructure and play a central role in warfare.

Don’t wait until your organization gets shut down by hackers. Register here for our webinar on how to protect yourself from Multi-layered DDoS attacks.

To view the latest Imperva DDoS Threat Landscape Report, visithttps://www.incapsula.com/ddos-report/ddos-report-q1-2016.html.