Security researchers have been warning for years that poor security for internet of things devices could have serious consequences. We’re now seeing those warnings come true, with botnets made up of compromised IoT devices capable of launching distributed denial-of-service attacks of unprecedented scale.
Octave Klaba, the founder and CTO of French hosting firm OVH, sounded the alarm on Twitter last week when his company was hit with two concurrent DDoS attacks whose combined bandwidth reached almost 1 terabit per second. One of the two attacks peaked at 799Gbps alone, making it the largest ever reported.
According to Klaba, the attack targeted Minecraft servers hosted on OVH’s network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras.
With the ability to generate traffic of 1Mbps to 30Mbps from every single Internet Protocol (IP) address, this botnet is able to launch DDoS attacks that exceed 1.5Tbps, Klaba warned.
The OVH incident came after krebsonsecurity.com, cybersecurity journalist Brian Krebs’ website, was the target of a record DDoS attack that flooded the site at a rate of 620Gbps. The attack eventually forced content delivery and DDoS mitigation provider Akamai to suspend its pro bono service to Krebs, pushing the site offline for several days.
According to Krebs, the attack was nearly twice the size of largest attack Akamai had seen before, and would have cost the company millions of dollars if it had been allowed to continue.
“There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called ‘Internet of Things,’ (IoT) devices—mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords,” Krebs said in a blog post after his website came back online under the protection of Google Project Shield.
On Thursday, antivirus and security vendor Symantec published a report warning that insecure IoT devices are increasingly hijacked and used to launch DDoS attacks. The company has seen the number of cross-platform DDoS malware programs that can infect Linux-based systems soar in 2015 and continue this year. These threats are designed to run on Linux-based firmware for CPU architectures commonly used in embedded and IoT devices.
Symantec’s data shows that most of these systems are not compromised through sophisticated or device-specific vulnerabilities, but due to a lack of basic security controls. Attackers typically scan the internet for devices with open Telnet or SSH ports and try to log-in with default administrative credentials. That’s unfortunately all it takes today to build a large IoT botnet.
And while IoT-powered DDoS attacks have now reached unprecedented size, there have been warning signs for several years that they were coming. In October 2015, security firm Incapsula mitigated a DDoS attack launched from around 900 closed-circuit television (CCTV) cameras and in June DDoS protection provider Arbor Networks warned that there are over 100 botnets built using Linux malware for embedded devices.