The Internet of Things as an attack platform
The largest ever distributed denial of service attack was recently launched via compromised IoT devices. In this article I explain what went wrong, and what needs to happen to prevent history repeating itself.
On 20th September 2017 security blogger Brian Krebs witnessed the largest DDOS attack in the history of the internet. Now known by the name 'Mirai', a botnet compromised mainly of thousands of IoT devices conspired to flood the bloggers website with nonsense traffic attempting to knock it offline.
Brian was initially protected by anti-ddos company Akamai who were able to fend off the attack which peaked at around 620gbps. To give this some perspective, this was close to twice the size of the previous largest attack seen and meant 620 gigabits of traffic flooded to the Akamai servers every second which would normally be enough to swamp any server and bring the website down instantly. The motives for the attack are unclear, although Brian is no stranger to this sort of attempted censorship due to the nature of the topics he writes about.
Using the IoT as an attack platform was a new tactic to many, especially at this size, and was made possible largely due to manufacturers producing many internet connected devices with extremely poor security in place right from the box allowing them to be easily compromised by attackers who can simply guess administrator passwords.
Technology is entering a new age where everything around the home will soon be connected and controllable via the internet. This opens up many possibilities and opportunities but we need to ensure this is done with some thought when considering security.
Hard-coding weak, default security credentials into these new devices is going to mean an increase in attacks such as the one aimed at Brian Krebs and as the number of internet connected devices increases, so will the power of the attacks seen as more and more are enlisted into botnets against their will.
Akamai put up a valiant fight but in the end the attack was costing their company too much money to defend against and they let Brian go. After a few days lost at sea, Brian now finds himself protected under Google's own infrastructure utilising Project Shield which aims to protect journalists from DDOS censorship. As a system though it remains largely untested so time will tell if even the might of Google can withstand the level of attacks being generated by poorly secured IoT devices.
Brian is fortunate in many ways as being a well known security journalist he was able to access such protection relatively easily. Much smaller attacks would leave lesser known bloggers and website owners out in the cold and offline with no other option but to wait until the attacks stop.
Since the attack on Brian we've already seen an even bigger attack on French hosting company OVH which hit 1000gbps! Manufacturers have a responsibility to ensure all new devices are supplied with strong, unique credentials from the factory and until they do, these type of attacks will continue, grow in size and frequency and pose a real risk to the very structure that makes the internet work.
Back to Insights