For years, security experts have been cautioning against poor IoT security and that it may have grave consequences. And these days, we can see that these alerts have become reality – botnets composed of hacked IoT gadgets are able to launch distributed denial-of-service (DDoS) attacks of incredible scale.
The alarm was sounded at the end of September by CTO and found or French hosting company OVH, Octave Klaba, on Twitter, when his organization was struck with two parallel DDoS attacks with a combined bandwidth of almost 1Tbps. One of them had a bandwidth of 799Gbps at its peak, thus becoming the largest DDoS attack ever reported.
According to the OVH’s CTO, Minecraft servers hosted by their company were the attack’s target, and a botnet comprised of 145,607 hacked IP cameras and digital video recorders served as the junk traffic’s source.
According to Klaba, the attack targeted Minecraft servers hosted on OVH's network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras. As claimed by Klaba, this botnet is able to generate 1Mbps-30Mbps traffic from each single IP address, thus making him capable of launching DDoS attacks exceeding 1.5Tbps.
The OVH attack came after Brian Krebs’ website krebsonsecurity.com, which was targeted by a record DDoS attack that flooded it at a 620Gbps rate. As a result, the attack forced Alamai, Krebs’ provider of content delivery and DDoS mitigation, to suspend its free service and pushing the website offline for a few days. Krebs reports that the attack was about twice as big as attack Akamai has had previously, and would result in millions of dollars of costs to the company, if it hadn’t been stopped.
In his blog post after his site came back online under Google Project Shield’s protection, Krebs stated, "There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called 'Internet of Things,' (IoT) devices -- mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords."
Recently, Symantec – a security and antivirus vendor – published a report with cautions about insecure IoT gadgets that are getting increasingly hacked and then used for DDoS attacks’ launches. As reported by the company, there are quite a few cross-platform DDoS malware programs that may infect firmware based on Linux for CPU architectures that are often utilized in embedded and IoT gadgets.
As shown by Symantec’s data, most of these systems aren’t hacked through device-specific or otherwise sophisticated flaws, but merely due to a lack of elementary security controls. Hackers normally scan the web for gadgets with open SSH or Telnet ports and attempt to log-in with default admin permissions. Unfortunately, this is basically all it takes nowadays to build a massive IoT botnet.
And even though these IoT-powered DDoS attacks have grown to an unprecedented size just now, the warning signs about their arrival were seen even several years back. For example, in October 2015, security company Incapsula restrained a DDoS attack that was launched from about 900 CCTV cameras, and then, this June Arbor Networks, a DDoS protection provider, warned about 100 botnets built via Linux malware for embedded gadgets.