Because They Can: Spawning of the IoT DDoS

Authored by Keely Richmond, Sr. Cybersecurity Engineer

[Extracted from CCI’s Tech Talk blog]

On September 13, 2016, the website of a US-based Cybersecurity Journalist (Brian Krebs) was hit by a DDoS attack that knocked his site offline. The resulting investigation uncovered a type of DDoS attack different in composition and scale than that of the typical DDoS attack.  In fact, this type of DDoS attack had only been seen in the wild a handful of times—the earliest known detection: April 2016.

Two pieces of malware (similar, but different), Mirai and Bashlight, were used to enslave enough Internet of Things (IoT) devices to launch a 620Gbps DDoS attack for the sole purpose of silencing a journalist whose articles threaten the livelihood and freedom of criminals.

As expected, an IoT DDoS attack sustaining 620Gbps got the attention of all types of people and organizations and the internet was soon riddled with a flurry of partial facts and theories about who, how, why, and what might be next.

Then it happened again!

On September 20, 2016, approximately 150,000 IoT devices (primarily DVRs and CCTVs) were enslaved to launch a 1.1Tbps DDoS attack against OVH (a French hosting company service provider). The target: Minecraft servers. The culprit: Mirai.

By September 30, 2016 the creator of Mirai decided to cut bait and released the monster (source code) into the public domain for anyone to use. This put distance between them and the source code, making the job of law enforcement more difficult because the code was now in the “possession” of virtually everyone. It also put a very powerful weapon in the hands of anyone with a moderate level of technical prowess and malicious intent.

At the same time the source code was published, the list of IoT devices targeted by Mirai (with default login credentials for each) was also published. This accomplished a few things:

  • Put the manufacturers and vendors of those devices on notice that their equipment needs to be secured or securable
  • Informed consumers (at least those who read tech news) of the lurking vulnerabilities in their homes and small businesses
  • Provided a seed list to anyone who wanted to give that source code a test drive
  • Made IoT vulnerability a hot topic for Cybersecurity specialists and service providers
  • Caught the attention of legislators—domestic and foreign

In addition to releasing the Mirai source code, its creator touted that it had been able to enslave 380,000 IoT devices before the scrutiny following the OVH attack made such endeavors too risky.

And then…it happened again!

[Read the rest of the article here]