Subscribe Now

* You will receive the latest news and updates on the Canadian IT marketplace.

Trending News

Blog Post

IoT devices used in devastating DDoS attacks
SECURITY SHELF

IoT devices used in devastating DDoS attacks 

The first documented DDoS attack occurred in February 2000. A fifteen-year-old Canadian hacker known as “Mafiaboy” orchestrated a series of series of attacks against eleven e-commerce sites, including Amazon, eBay, and Yahoo. The attacks used 75 computers at multiple locations to overwhelm the victims’ computers and prevent them from responding to requests from legitimate users. RCMP and FBI officials estimated the affected sites suffered US $1.7 billion in damages.

DDoS attack strategies have continued to evolve, and today they commonly leverage tens or even hundreds of thousands of compromised computers and devices. Black-market services, known as “booter” and “stresser” services, are easy to find, hiding behind a thin veil of providing testing services. According to security vendor Trend Micro, a basic week-long DDoS attack can be purchased for as little as US $150.

According to an article on Krebs’ site, “The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case, this is many orders of magnitude more traffic than is typically needed to knock most sites offline.”

Krebs was likely targeted due to his extensive reporting on criminals operating DDoS services; this is not the first time he has been the victim of a DDoS attack. But the fact that one of the largest attacks the Internet has ever witnessed targeted an independent journalist illustrates what Krebs succinctly calls “The Democratization of Censorship.”

Discussions of Internet censorship traditionally revolve around repressive government regimes, but DDoS attacks enable individuals and small groups to engage in censorship at home and abroad. Larger organizations can afford to purchase more bandwidth or expensive DDoS mitigation services. Individual journalists, small media outlets, and most businesses remain highly vulnerable.

Three factors make it increasingly viable to launch effective DDoS attacks. The first is connectivity. In 2000, “Mafiaboy” relied on a relatively small number of compromised computers, most of which were located at universities. At the time, the majority of Canadian homes used dial-up Internet, and under ideal conditions newly-introduced ADSL connections provided 800 kbps upstream bandwidth. Today, upload speeds of 10 to 20 Mbps are common.

The second factor is explosive growth in the number of Internet-connected devices. Many of the devices used to attack Krebs were reportedly IoT devices, including cheap IP surveillance cameras sold to consumers. The devices were comprised en masse due to flawed designs and the widespread use of default passwords.

The third factor is that source code to create botnets and use them for DDoS attacks is readily available, including the Mirai botnet used to attack krebsonsecurity.com. This significantly lowers the bar, allowing criminals with relatively basic technical capabilities to leverage insecure IoT devices for DDoS attacks.

Last week’s attack on Dyn, a company that provides core Internet services such as DNS to clients such as Amazon, Etsy, GitHub, Shopify, Twitter, and the New York Times, also leveraged Mirai. According to a statement by Dyn, “At this point, we know this was a sophisticated, highly distributed attack involving tens of millions of IP addresses. We are conducting a thorough root cause and forensic analysis and will report what we know in a responsible fashion. The nature and source of the attack are under investigation, but it was a sophisticated attack across multiple attack vectors and Internet locations. We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed tens of millions of discrete IP addresses associated with the Mirai botnet that was part of the attack.”

Attacks of this magnitude have serious national security implications; they demonstrate that a motivated nation-state or even a group of hackers could potentially cripple the Internet in Canada. A carefully orchestrated attack targeting governments, banks, transportation of essential goods, and email services at major ISPs could have a devastating impact.

Have a security question you’d like answered in a future column? Email eric.jacksch@iticonline.ca

Related posts