Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:55 PM
Connect Directly

'Root' & The New Age Of IoT-Based DDoS Attacks

Last Friday's massive DDoS that exploited online cameras and DVRs was simple to pull off -- and a new chapter in online attacks.

The distributed denial-of-service (DDoS) attack last Friday via an army of infected webcams, DVRs, and other systems, that crippled a large chunk of the Internet's domain name system (DNS) served as a wake-up call after years of research and warning about vulnerable consumer and embedded devices.

It also led to a rare mea culpa by a consumer networked-device manufacturer: Hangzhou Xiongmai Technology Co Ltd, the Chinese maker of electronics for some of the surveillance cameras hijacked by the so-called Mirai botnet used in the attack against DNS provider Dyn, reportedly said it will recall some of its affected products. The firm plans to ratchet up authentication as well as patch devices manufactured prior to April 2015, according to a Reuters report.

Even so, a recall is far from the solution to cleaning up the botnet pollution, especially in the Internet of Things space, security experts say.

"The trouble with hardware that has been hijacked for Mirai is that the devices are 'white label' goods, produced by an unbranded manufacturer for third-party companies," Sophos' principal research scientist Chester Wisniewski said in a blog post today. "The Chinese company that made the hijacked devices, XiongMai, almost certainly has no way of knowing which companies have rebranded and sold its insecure cameras, and thus who the end users are. That makes it pretty much impossible to recall them."

IoT devices—everything from home routers to webcams and smart fridges—are well-known easy security targets. Aside from the "white label" component issue, most of them come with default authentication and no security features. The bot-infected army of IoT devices pummeled Dyn and crippled major websites such as Okta, Pinterest, Reddit, and Twitter, last Friday and left websites either inaccessible or with slow-loading pages for some users.

But the attackers behind the DDoS, the origin of whom are still being investigated, did not have to do any sophisticated hacking to recruit their IoT devices. Finding vulnerable IoT devices wide open to the public Internet is easy.

Vikas Singla, co-founder and chief operating officer of stealth startup Securolytics, says his firm discovered that two basic factors contributed to the Mirai botnet's formation. First off, they found that some IoT devices, including webcams, routers, and DVRs, literally broadcast their model numbers and software version information when you connect to them online. "IoT devices tell you what they are … servers don't do that," notes Singla.

Securolytics, which provides scans for healthcare and financial services industry of IoT vulnerabilities in their networks, also found that IoT devices used in the Mirai botnet use just one popular IoT default credential: "root."

Mirai basically searches for telnet protocol availability, checks for default credentials, and when it finds a match, logs into those devices and uses them for DDoS'ing purposes. CCTV cameras are most often exploited by Mirai because many of these devices rely on default credentials. The botnet malware specifically controls the BusyBox software often found in IoT devices.

The Sept. 20 DDoS via Mirai on KrebsOnSecurity reached around 620 Gbps in size, which broke DDoS records in terms of power. The botnet malware's author later dumped the Mirai source code online.

Meanwhile, Dyn has confirmed that the DDoS attack came in three waves last Friday, and used tens of millions of IP addresses across different locations. "We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," Kyle York, Dyn's chief strategy officer wrote in a post.

Dyn said the DDoS campaign began at around 7:10 am Eastern and concluded around 1:45 pm Eastern.

While all's been quiet on the Mirai DDoS front since then, security experts say this was only the beginning for IoT-based botnet attacks.

"It's going to continue to happen," says Doug Morgan, chief data scientist at Securolytics.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/8/2016 | 1:14:53 PM
GCHQ Calls Internet Providers to Rewrite Systems
Looking at the extreme end of the solution spectrum, the recent stories regarding GCHQ's call upon Internet Providers to rewrite systems to aid in preventing hacking attacks seems relevant right now.  The idea of national firewalls, national Internet silos, and entirely re-written protocols makes one wonder how bad the cybersecurity ecosystem situation really is out there.  For some of on the inside, we have a better idea but it's often still only a glimpse compared to what government agencies see.  Would these re-writes of standards, protocols and software really do well in preventing large-scale cyber attacks?  Is DDoS really the only reason to make such a call for change, or is that type of attack better made a thing of the past through less drastic changes?  If BT and Virginia Media are going to work with government cyber-defense teams to rewrite Internet standards to restrict spoofing, is this the foot in the door of a gloabl revamp of the Internet?  I know the Internet Service Providers Association (ISPA) is skeptical as they should be.  Such a move could cost trillions of dollars, millions of hours of work and be brought to the floor with a single righteous hack after it's implemented.  Measures noted in this article are alternate and logical ways to help on the small scale, but it keeps bringing into question: What do we do for the large-scale?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.