On Friday morning, October 21st, East Coast internet users found themselves unable to access major websites such as Spotify, Twitter, Netflix, and Reddit, among others. Reports quickly came out detailing that the reason for the internet outage was due to a massive DDoS attack leveraged against Dyn, an internet infrastructure company that provides DNS services for companies. According to Dyn, the attack started at 7am ET, and again at 12pm ET, soon after Dyn was able to restore service. A third attack was attempted but Dyn was able to mitigate it with no customer impact.
While DDoS attacks are often levied on a single company, usually a bank or e-commerce site, rendering it useless, an attack on a major internet infrastructure company like Dyn affects multiple sites and millions of visitors. This means that no one single company is bearing the brunt of a DDoS attack. Instead, the attack is much wider in scope and effect and can pose large-scale problems.
In this article, we’ll be looking at the security implications this DDoS attack may have on the future, what we found within our own platform, and what steps organizations can do to minimize the power malicious actors have in executing these style of attacks.
How the IoT was used in the DDoS attack
The massive DDoS attack was possible, in large part, because of default security configurations on IoT devices. Attackers made use of a worm that propagated by searching for common default passwords running on the Telnet protocol, used by IoT devices. Once a device was compromised, it would be used for DDoS attacks. The opening volleys of these attacks were observed in September, where the victim was Brian Krebs, a security researcher and journalist best-known for the KrebsOnSecurity.com blog. Soon after publishing a story on a ‘DDoS attack for hire’ service, his website was hit with a massive 620GB/second DDoS attack, a record amount of hijacked bandwidth at the time.
As Krebs and other reports have noted, the attack was made possible through IoT device exploitation. We’ve talked about the security implications of IoT devices before and attacks like these are a large reason why they’re so important. Because many devices such as IoT cameras, DVRs, and Internet Routers come with default passwords that aren’t often changed, the devices are vulnerable to exploitation by automated password hacking techniques.
These default configurations on IoT devices have been observed in the wild as being actively exploited by qBot, Mirai, and Hajime malware botnet families, among others.
These malware botnet families propagate by scanning the internet for vulnerable IoT products that use the ‘Telnet’ protocol, scanning and trying to access the device through pre-written passwords that are the default passwords for many of these devices. Once infected, the devices can than be used to execute DDoS attacks by the botnet controller via a C2 (Command and Control) server.
Figure 1.1 shows the code used in the Mirai botnet that contains common passwords that are checked during propagation.
As the news of the massive DDoS attacks being partially powered by compromised IoT devices began to hit the wires, we looked at the logs from our internal SecurityScorecard Attack Sensors. The data collected by our attack sensors was consistent with the circulating open source intelligence about the Mirai and Hajime malware families.
We compared the historical records of attacks against Port 23, the Telnet protocol to determine when there was an observable increase in activity and observed significant increases in malicious activity. We examined the total number of attacking unique IP addresses from January 1st to August 30th 2016, and compared it to attacks during September 1st to October 22nd, 2016. The Mirai and Hajime botnets were publicly announced in September and October 2016.
We saw a 200%+ increase in the number of attacks and over 100% more unique IPs were engaging in attacks which matched the same pattern of telnet worm propagation found in the botnet malware families. This is a startling finding given that the September and October date range is less than 1/4th of the time looked at from January to August.
During the January to August timeframe, attacks totaled to over 183K instances stemming from nearly 25K unique IP addresses. On average, over 102 unique IPs a day were detected as engaging in the attack. However, during the September and October timeframe, over 420K attacks were detected stemming from nearly 51,000 unique IP addresses averaging out to 848 unique IP addresses a day engaging in the attack, an 831% increase.
When we examined the attacking IP addresses that were running brute force attacks against the sensor’s telnet protocol, we determined that the attacking IPs were confirmed to be compromised DVR devices, webcams, and other IoT devices.
Figure 1.2 shows the default login portals for the web application interface of a compromised DVR device.
This vast amount of increased activity agrees with the independent reports that have pointed the finger at insecure IoT devices as the reason for the Dyn takedown. This issue has brought increased attention on the vulnerabilities of these devices. Because of the attack, a Chinese firm has recently recalled four models of an IoT webcam because of the security vulnerabilities the devices have.
Why this may not be the end of the DDoS attacks
While the DDoS attack lasted several hours, it may not be the last time we see a DDoS attack on this scale or worse. Our Chief Research Officer who performed the analysis detailed above, Alex Heid, noted that ‘“It is highly likely this incident was simply a ‘test’ of the full capabilities of this attack methodology.” The culprits still haven’t been found, as multiple parties have taken responsibility, and the current evidence seems to point to amateur hackers as the individuals responsible for the attacks. Other security researchers and forensic scientists can’t find specific motivations for the attack that would point to a hacker group or nation-state.
However, DDoS attacks are frequent, and as Krebs noted, the source code for the Mirai IoT botnetwas released which has already led to a doubling of the amount of bots infected with the Mirai malware. Even more troubling is evidence indicating that the Mirai botnet is being given away for free on multiple underground hacker forums. Forbes reported that soon after the Mirai source code was released, a hacker was selling access to an IoT botnet capable of generating 1TB of traffic per second, the same amount that was levied against OVH, a French hosting provider. While the hacker didn’t specifically name the botnet, the hacker is connected to the Mirai malware evidenced by previous posts.
How organizations can mitigate their IoT risk
This IoT insecurity presents a novel problem that needs to be addressed immediately but has underlying levels of complication that requires effort from a number of parties. Unfortunately, as we learned in our interview with security researcher Matthew Garrett, manufacturers aren’t creating these devices with security in mind, so until the manufacturers create more secure IoT products, the burden largely falls on the individuals and organizations to mitigate this risk.
Organizations, if looking to purchase internet-connected devices such as cameras, routers, or even DVRs, and smart TVs should perform some due diligence to ensure that the devices aren’t quick to succumb to the Mirai botnet or are otherwise insecure. Once the right devices are purchased, any passwords on the devices should be changed immediately and all firmware and software updates should be applied, as most updates often include security patches.
Organizations should also take inventory of their current IoT devices, to ensure everything is up to date, patched, and that all passwords are changed. If devices are found with the malware installed, the devices should be disconnected from the internet, then rebooted, which will remove the malware. Once the reboot is complete, the password should be changed before reconnecting the device. For a more comprehensive guide, the US-CERT issued an alert on IoT Security and DDoS attacks in mid-October, offering insight and concrete steps organizations and individuals can take.
These DDoS attacks rely on strength in numbers, exploiting easy-to-fix vulnerabilities on a massive scale. If both organizations and manufacturers take the necessary steps to prevent future malware infection and remove the existing malware infection, the DDoS attack tools that are being circulated on hacker forums will lose their effectiveness. This is a case where collaboration among multiple organizations is needed to reduce the effectiveness of basic attack techniques.
Fortunately, this high-profile attack is likely what was needed to bring visibility to the issues of IoT security and to be taken seriously, which bodes well for the future of these devices.