Over the past few weeks, the world has seen several Distributed Denial-of-Service (DDoS) attacks of an unprecedented scope. Among these was the attack on Dyn, an American domain name system (DNS) services provider, whose clients include Twitter, Reddit and Spotify. On OMctober 21st, Dyn was hit by an attack carried out by the Mirai botnet. The attack, which was on a scale 50 times more massive than any Dyn had faced before, was carried out from an estimated 100,000 connected devices, such as security cameras and digital video devices. The same botnet was used in an attack on security journalist Brian Krebs’s blog, an attack that reached a bandwidth over 620 Gbps. French Internet service and hosting provider OVH suffered an even larger Mirai attack. Not only is the scale of these attacks worrying, but the source code for Mirai has been released to the public domain, so now anyone can set up a botnet. This has serious consequences.
We are all too familiar with DDoS attacks. A few years ago, Dutch banks were targeted by several attacks. As a consequence, these banks’ customers were unable to access their accounts, which caused significant damage to our trust in automation. It did, however, serve as a clear warning that measures should be taken to protect against DDoS attacks. So far those measures have proven adequate against attacks of a scale ranging to around 10 Gbps. The current attacks however, are several orders of magnitude more massive. To grasp just how massive these attacks were, consider that the Amsterdam Internet Exchange currently processes data at a rate of slightly over 2 terabits per second (2,000 Gbps) and that during the attack on OVH, the provider was bombarded with requests that reached a third of this bandwidth. So it will come as no surprise that older protection measures are no longer sufficient.
Attacks by anyone
Even more worrying than the gigantic scale of these attacks, is the way they were carried out. Because the source code for Mirai is now available to everyone, anyone can carry out a massive DDoS attack. There are already sites where you can simply order an DDoS attack online and it is just a matter of time before Mirai is included among ‘services’ offered on these sites. These attacks make large-scale use of Internet of Things devices, such as security cameras and digital video recorders. These types of devices – the “things” – are often poorly secured or even have no security features at all. In the past, botnets used no more than a few thousand computers for their attacks, but now hundreds of thousands of unsecured devices can be harnessed to create a zombie army and generate a gigantic, overwhelming flood of data.
Just the beginning
So-called “script kiddies”, wannabe black hat hackers possessing a minimum of programming skill, can adapt and expand upon the leaked source code to scan for additional vulnerable IoT devices. This will make future attacks even larger and, consequently, ever more damaging. We therefore expect that the recent DDoS attacks are just the tip of the iceberg and believe it is essential that the suppliers of vulnerable IoT devices take action as quickly as possible. If the security of these products is not improved, IoT devices will be employed to carry out DDoS attacks ever more often and on an ever larger scale.
At this point, little is known about the attackers and their motives. As yet, however, nothing points to the involvement of “foreign powers”. The attacks mainly caused disruptions in the U.S., but it will only be a matter of time before we will see similar attacks in Europe. Such an attack can completely isolate the target organization from the Internet: not only is the organization no longer accessible to external parties; internal access to email, cloud applications, etc. may also be impossible. The holidays are just around the corner, and a DDoS attack can cause an online department store to become unreachable just as hordes of consumers are pulling out their credit cards to buy holiday gifts. Now that it is possible for anyone to carry out such an attack, the underlying motives will range from extortion and inflicting damage to organizations, to terrorism.
As stated, recently deployed measures against DDoS attacks are certainly no longer adequate against the kind of attacks we are now seeing. Those measures will therefore need to be revised. Organizations that rely on providers of DDoS attack mitigation services would do well to verify that their provider has the capacity to negate attacks of this magnitude. The same applies to the Internet connection between the organization and the Internet service provider. Does this connection offer the capacity to handle more than 10 Gbps? If not, then it would be wise to divert all traffic to a specialized anti-DDoS service, when needed. Also: does the organization have a response plan ready in the event it becomes the target of a DDoS attack? Is there a contract with an incident response provider that can provide advice and assistance when dealing with a DDoS attack? Is it clear who should be contacted, internally and externally, and are these people available 24/7?
Danger not so easily negated
Organizations that can answer yes to the above questions and have taken appropriate measures are reasonably well protected against attacks of the Mirai scale. But in fact, this is little more than symptom management. It does nothing to address the root cause: millions of unsecured, connected devices. These devices run on operating systems that are poorly configured for security and often use default usernames and passwords (such as the familiar “admin/admin” combination). Amazingly, some devices do not even allow for this login to be changed. A botnet can easily scan the Internet and take immediate advantage of these vulnerabilities to infect such devices and absorb them into the botnet. The sad fact is that most device manufacturers are not inclined to improve the security of their products. Such devices are often sold at very low prices, with minimal profit margins, so spending money on security would be counterproductive while also having a negative impact on time-to-market. Fortunately, there are manufacturers who do feel that security is important, but even then there is one last hurdle: will consumers be willing and able to implement security updates? Most likely not. Expecting Internet service providers to solve this IoT security problem is not very realistic either. Even if they would be willing to scan their customers’ IoT devices, what do we expect them to do after they detect unsecured devices? Block their customers’ (often home users) access to the Internet? That would certainly not be in the ISPs’ best interest.
Role of the government and security providers
Addressing the IoT security issue is therefore a huge task. Consumers have little regard for security and this is certainly the case when it comes to IoT peripherals. So far, manufacturers of IoT devices have had no incentive to strengthen security. This problem can only be resolved if the government imposes a security standard for IoT devices, similar to the standard for electrical safety. Devices that fail to comply with this standard would not be allowed on the market.
What has been predicted for years has now come to pass: the insecurity of the IoT is causing major problems with Internet access and results in significant damages for organizations that depend on it. Worse still, it is not just the affected organizations – those that are the direct target of attacks – but also those who make use of the same data center or the same Internet networks, that experience service outages and suffer severe losses. This way, these new DDoS attacks can result in major disruptions, the kind of breakdown that could result in massive damages. Organizations fortunately have some means of preparing themselves for such an eventuality. But to address the root cause, the entire IT industry – from manufacturers to service providers and security specialists such as Fox-IT – must take action, in collaboration with the government.
Frank Groenewegen, Principal Security Expert Fox-IT