Welcome to the new age of supermassive DDoS Attacks
Two of the largest DDoS Attacks in the world that were ever recorded have been executed against security journalist Brian Krebs and France-based hosting provider OVH. Both these DDoS Attacks happened in the last two weeks.
The DDoS Attacks on Kerbs hit with over 600Mbps and on the hosting provider OVH with over 1Tbps of traffic. The DDoS Attacks not only used PCs recruited by malware infections (the traditional tool used by threat actors) they also used vulnerable IoT devices such as routers, PVRs, thermostats, refrigerators and cameras. are now targeted by the bad guys as they are often poorly secured and easy to exploit.
A few years ago, insecam.org released a directory of publicly accessible webcams – many of which were set up in people’s homes that had no security or default passwords. Many devices were vulnerable.
A report by SEC Consult reviewed 4,000 embedded devices from 70 different hardware vendors and revealed that over 580 unique keys for SSH and HTTPS are shared between several devices from the same vendor and even sometimes from different vendors. So once you find the password for one device, you can be successful with others as well.
Krebs website, krebsonsecurity.com was attacked last week and indications are the attack was launched with the help of a botnet that enslaved a large number of hacked IoT devices. The source code for thie IoT device malware goes by the names Lizkebab, BASHLITE, Torlus, and gafgyt.
Digital security company Akamai Technologies, which mitigated the KrebsOnSecurity attack, said the largest attack it had previously encountered had been a mere 363 Gbps. Akamai’s Martin McKeay said this new botnet has “capabilities we haven’t seen before.”
The KrebsOnSecurity attack occurred just days after the site had exposed a DDoS-for-hire service, vDOS, leading to the arrest of the group’s two 18-year-old owners by Israeli police. According to site owner Brian Krebs, there was a single message buried inside each attack packet that hit his site: ‘godiefaggot.’
The DDoS Attacks on OVH used in even more than 150K IoT devices. It wasn’t all concentrated in one attack. There were several concurrent DDoS Attacks of varying sizes with one attack peaking at almost 800Mbps, setting the record for a single DDoS attack.
IoT device makers need to make the devices secure and inexpensive. The expectations are that even IoT devices that cost just a few cents must have some form of end-point security embedded in them. This expectation may not be reasonable.
So protecting IoT devices that are connected to a network means that default passwords MUST be changed (at least that). The IoT devices need to be appropriately isolated from other systems. Because many IoT devices can’t run any sort of end-point protection, appropriate network monitoring is needed to detect any unexpected network activity emanating from those devices.
Now that there have been some high-profile attacks using IoT devices, it’s likely we will see more attention to how weaknesses in IoT device security is being exploited. This new attack vector will probably create more news.