IoT Botnet built from compromised home routers were used to launch an application-level DDoS attack
Eight different brands of Internet of Things (IoT) home routers were compromised and used to create an IoT botnet that launched an application-level distributed-denial-of-service (DDoS) attack against a website’s multiple servers.
Unlike volumetric attacks that target the network link (measured in bits per second), application-based attacks are designed to target the application and web server resources (measured in requests per second). The attack was big enough to disable multiple web servers and quickly exhaust available bandwidth. This was further exasperated through the use of HTTPS requests, which is more CPU intensive because of the TLS/SSL handshake.
The application-level DDoS, or Layer 7 HTTPS flood attack, was discovered by security firm Sucuri. The IoT Botnet generated more than 120,000 HTTPS requests per second (RPS) using 47,000 IP addresses, Securi founder and CTO Daniel Cid wrote in his blog. “While we have seen routers being used maliciously in the past, we have never seen them used at this scale.”
The attack leveraged multiple router providers;
- 6,015 Huawei router devices Enterprise versions HG8245H, HG658d, HG531
- 2,119 Mikro RouterOS devices
- 245 AirOS router devices manufactured by Ubiquiti Networks
- NuCom 11N wireless routers
- Dell routers
- SonicWalls routers
- VodaFone routhers
- Netgear, routers
- Cisco-IOS routers were also were exploited and used in the attack.
Last week, Level 3 Threat Research Labs and Flashpoint discovered IoT devices targeted by the Lizkebab family of malware (also known as Bashlite, Torlus, or gafgyt) in order to create DDoS botnets.
IoT Home Router Botnet Diversity
A key requirement for the success of these attacks was diversity. This includes geographic distribution, ASN, ISP, and IP networks. This home router botnet had solid diversity with a heavy focus on Spanish-speaking countries (e.g., Spain, Uruguay, and Mexico). The more diverse the networks are, the harder it is for the victim website to isolate the attack and block one or two networks.
This was the geographical distribution for the home router botnet:
The large-scale attacks distributed across multiple IoT botnets is only scratching the surface of what we can expect in the future. As more devices become part of the IoT ecosystem, the greater the threat becomes.
If your website is experiencing availability issues (meaning it continues to go down or your web servers are being exhausted) you might benefit from leveraging a cloud-based website application firewall that specializes in DDoS attacks.