DDoS Things Warnings

First, it’s prudent to note that there have been ominous warnings over the years regarding the rise of the Internet of Things and the makers of IoT devices simply not taking security seriously. Deep into 2016, there were the Level 3 August 25 notes on the attack of things. On September 13, Bruce Schneier wrote someone is learning how to take down the internet. And there was the prescient October 20 essay by Chris Baker regarding IoT attacks on managed DNS operators.

DDoS Things Censoring

At approximately 2000 hours EDT on September 20, there was a massive DDoS attack on the Brian Krebs security website at a scale not seen before. Because of the overwhelming number of spoofed web requests, access to the site was eliminated, producing an effective censorship. Criminals invoked the enforced censorship in apparent punishment for a blog Krebs wrote about DDoS-for-hire service vDOS. Later analysis showed the DDoS attack 620 Gbps in size. It turned out that DVRs and IP cameras were exploited and used to launch the DDoS attack. Default passwords, always the bane of security, rose up again to bite with sharp teeth. The content delivery services company Akamai, which had been providing DDoS protection pro-bono for Krebs, had to make the hard decision to bail after a point.

Opinions vary on Akamai’s decision to pull the plug for the pro-bono DDoS protection provided to Kreb’s site. Nick Selby observed we may now know Akamai’s threshold. Akamai’s postmortem notes success against the attack and there were several follow-up blogs, including about things attacking and IoT barbarians. At any rate, Kreb’s security site carries on, now protected under Google’s Project Shield. Krebs’ November 16 blog details Akamai’s State of the Internet, which covered extensively the DDoS attack against KrebsOnSecurity.

DDoS Things Squashing

On October 21, 2016, vicious thunder crackled across the ethers as massive hard-as-brick snowballs were chunked in deadly velocity from thousands of sources. The target of the multiple IoT DDoS attacks was Dyn, an internet performance management services company.

The attacks wreaked havoc on sites serviced by Dyn. The attack was so successful that the notion of “DDoS” surfaced into mainstream media momentarily distracted from such newsworthy topics as private email servers. The attack could have topped 1.2 Tbps, involving 100,000 bots. Impact was widespread, starting with the eastern seaboard and sites from wired.com to the New York Times, and the financial services sector, then moving on to the west coast. In the end, Reddit, Twitter, Github, Spotify, eBay, and a host of other sites were effectively knocked out.

How did thousands of consumer things connected to the internet manage to get together, become fire hydrants, aim and wash away sites as with the attacks on Krebs and Dyn? In a word: Mirai.

Mirai, Mirai, On The Firewall

It turned out the botnets which launched spectacularly heavy attacks on Krebs and Dyn, and other minor attacks in-between and later, were powered by Mirai.

Mirai is both malware that infects things on the internet and is used to launch DDoS attacks. Once in, it locates and exploits other IoT devices and coordinates attacks, and is territorial in nature. Mirai is not the only IoT malware in town and strives to eliminate competing malware. IoT malware is a growth industry.

Perhaps covering their tracks after the attack on Krebs, the source code was released. This, of course, increased participation.

Zillons of internet-connected things are infected with Mirai. Note this timelapse of Mirai mapping

A Mirai scanner was released by Imperva Encapsula. Caveat: If there are no things behind your firewall and/or your firewall is locked up properly, the scanner will superfluously report that Mirai may have blocked ports already. Blocking ports – sealing off access to IoT – is a Mirai thing, something it does after settling into its new home.

At the moment, the future appears dark with mushrooming IoT botnets. Over the years, DDoS mitigation services have multiplied and best practices are well-known. Nonetheless, botnets going from exploited PCs to countless IoT devices, and the improved ease of exploitation, has impressively scaled up the game. Until manufacturers start to take IoT security seriously, starting with not shipping devices with default passwords, the numbers are on the side of the botnets and the ne’er-do-well botnet herders. While script kiddies are generally believed to be behind the recent well-publicized DDoS attacks, no question state actors are sitting somewhere in dark, state-financed cube farms grinning at the possibilities.

Avoid Being Bad News

As you design and create your next cool IoT device, no doubt perusing the excellent Mouser Electronics website even now for top-notch components, take a moment to install security reviews at every stage of of the creative process. Best to be proactive to prevent your cool, new IoT device from being Mirai-ized by the thousands and making the next news cycle.