Compromised IOT network with IOT nodes and infected targets with an arrow 3D illustration

Any network administrator worth their salt knows what a DDoS attack is. A DDoS (Distributed Denial of Service) attack attempts to flood the target network infrastructure with traffic via potentially many thousands of sources. Each source only adds a little to the flood, but it all adds up into a torrent. Think of it as death by paper cuts for a network. And when that network is part of the backbone of the Internet, a DDoS attack can have an effect upon the public.

Most usually, a DDoS attack is actioned using any number of PC’s, that would have previously been infected by some malware that gave the attacker the ability to add the specific PC to their ‘pool’ of devices that can be used to fire off a DDoS attack. But recently, a couple of rather nasty cases of DDoS attacks being actioned from IoT-enabled ‘dumb’ devices have come to light.

A Botnet Series of Attacks

The first of these was a Mirai botnet that used multitudes of IoT-enabled devices to launch a DDoS attack on the USA, which crippled services such as Twitter, Netflix, and Spotify. Marai is a piece of software, that scans the IoT for devices with security vulnerabilities. When it finds one, it adds it to its pool of DDoS devices.

The networks of affected companies were not compromised individually. The targets all used a common DNS service company called Dyn, which was the primary victim of the DDoS attack. As the Dyn network was brought down, the Internet services of its customers including Twitter, Netflix and PayPal, among others, failed to operate across the Web. This led to a large-scale outage beyond the control of the affected Internet companies.

An estimated 100,000 devices were infected by the self-replicating malware that spreads across weak, insecure connected devices like forest fires. The Mirai botnet allows compromised machines or devices to operate as bots to brute results, transmit to a server and send the results to the loader. This loop is described as the Real-Time Loading, as further described here.

The hackers haven’t stopped here. In another news, hackers have designed another nasty malware called Linux/IRCTelnet, which will target IoT devices with hard-coded or default credentials. The exploit will open doors for new opportunities to target a variety of attack vectors. The Mirai botnet source code has already gone open-source and the cybercrime underground is looking to replicate its success with upcoming exploits. For now, it looks like the genie is out of the bottle and that it’s only a matter of time when another attack occurs on a similar scale.

The second DDoS attack that is worrying, came to light when OVH, a popular budget server hosting company, realized their network was under attack. Following exhaustive analysis, the problem was traced back to a DDoS attack that was launched from hundreds of thousands of IoT-enabled cameras.

The Growing Threat of IoT Devices

As we can see, hackers are clearly ready to begin exploiting security vulnerabilities that are present in IoT-enabled devices. The long-term implications of this, are that unless a solution can be found to keep insecure devices off the IoT, then we will see more such attacks.

In a worst-case example, a DDoS attack could potentially knock a country off the grid when it comes to Internet access. This might seem extreme, but it is definitely a possibility.

Why Does the Problem Exist?

We can place the blame for this new style of DDoS attack squarely at the feet of hardware vendors. Sure, that new IoT enabled camera they have developed might be cool and have great features, but did they truly keep security as the top consideration during the design stage? Unfortunately for many vendors, the answer is no. They are more interested in creating the next clever gadget, rather than making sure it is safe to use down the line.

What are the Implications for Businesses?

It means that companies that want to use IoT-enabled devices as part of the operational infrastructure are going to need to verify the security of any device they are considering using. Business organizations should ensure that their Linux-based IoT devices are not using the same default access credentials as they’re shipped with.

The hardware vendors largely cannot be relied upon to take device security as seriously as they maybe should. Therefore, the onus is going to be on the end user to make sure their chosen devices are not going to become a security vulnerability in the future.