This past Friday’s DDoS attack demonstrates a significant uptick in this sort of activity.  After trending downward for about 18 months, this tactic appears to be back in a major way. And, we should expect to see more of the same for the next few months until providers find appropriate countermeasures.

According to broad reports, the attack hijacked 500,000+ assets, with an estimated 1-50MBps of upload capacity per device.  When you consider that an average household has four IoT connected devices, the concern about the potential scope of these attacks is obvious.

In terms of the anatomy of this particular attack, it stems from the Mirai malware, which Armor recently analyzed extensively. This malware works by using a scanner to find vulnerable devices, once compromised it begins to flood requests to a remote website, then it has a C&C to sustain the attack. Armor researchers found that the Mirai source code isn’t as sophisticated as other malware we’ve seen but was built in a collaborative manner from several different sets of code.

For now, it targets “telnet” services to attack IoT devices.  However, because the source code is now publicly available, we anticipate the “Mirai Framework” to quickly evolve in other attack methods, which will be a significant escalation.

And since ransomware is lucrative and the actors are elusive, it is likely that they will increasingly leverage available DDoS tools such as this for a very simple fact—website uptime. Business owners measure to the exact penny how much money is lost for every minute of downtime, compelling them to pay up. This reality, combined with a narrow chance of being caught, makes it very attractive to criminals.

Targeting DNS providers

The expansiveness of the botnet is only one aspect of this story. The real concern lies in the practice of attacking a DNS (Domain Name Server) provider. This creates a “one to many” scenario because DNS holds access to the IP addresses that allow for connectivity between devices and domains. By overloading a network, attackers, in essence, have stolen the ‘phonebook’ which makes surfing the web possible.

DNS providers have always been the “Achilles Heel” of the internet, and it should come as no surprise that they’re being targeted.  In fact, the only surprise is that they haven’t been utilized more.

What the future holds

The threat research community is tasked to find a way to prevent the IoT devices from being a conduit for destructive DDoS campaigns.  When linked to a botnet, IoT serves a valuable role because devices are usually always on and have high capacity connections that generate tremendous power.

In the short term, it’s not a stretch to imagine that a “good Samaritan” hacker might try and locate compromised devices and reset the default passwords to thwart another incident. But this act could have drawbacks since it would be technically illegal and could have unintended consequences for device owners. It is clear that black hat hackers are already attempting to target compromised devices to “recruit” them into their bot army.

Security teams must ensure that appropriate security patches are in place and that they remain diligent to look for any concerning anomalies that might suggest they are being targeted, or their infrastructure is being compromised to facilitate a botnet. As an initial step, organizations should implement reputation-based IP filtering, and consider DDoS protection. providers.

We expect to see a continued escalation of this DDoS campaign and our researchers are already seeing signs of evolution.  Our team will continue to release findings to help our customers, and internet users in general, be better prepared.