The new age of DDoS - And we ‘joked’ that toasters would one day take down our banks

A few years ago, just as the ‘Internet of Things’ (IoT) was starting to form as a concept, some of us in the cyber security community joked that in future our toasters would be able to take down our banks.

Within the last few months that joke has started to become a reality. In September 2016, US security researcher Brian Krebs had his website, Krebs on Security, taken offline by the largest Distributed Denial of Service (DDoS) attack yet seen. A short while later OVH, a French internet hosting company, was struck by an even bigger attack.

Then, in October, Domain Name Server (DNS) company Dyn - essentially a part of the ‘internet phone book’ which directs users to websites - also fell victim to an attack in which tens of millions of different internet addresses bombarded the company’s servers with excessive data, causing popular sites like Twitter, Spotify and Reddit to go offline.

The size of attacks has increased exponentially thanks to hackers and cyber criminals making use of the IoT. These devices – including the likes of webcams Digital Video Recorders, and even fridges, toasters and pressure cookers - are typically designed to be quick and cheap to produce, and inherently have very poor levels of security.

The majority run variants of the Linux operating system and many have very simple or default administrator username and password combinations, or use standard encryption tools where the ‘key’ is widely available on the internet. There are some with no security features at all. Worryingly, the end user can do little to prevent their use by cyber criminals and hackers, even if they were to become aware that their device has been compromised. Other than turning it off and disconnecting it from any internet connection – which would pretty much leave the device as ‘dumb’, and remove the features they bought it for – there’s very little scope to prevent it from being recruited by hackers.

The risk posed stems from a piece of malware called ‘Mirai’ (Japanese for ‘the future’). Developed by a coder who goes under the pseudonym of ‘Anna-senpai’, Mirai turns computer systems running Linux into remotely controlled ‘bots’ that can be used as part of a ‘botnet’ in large-scale network attacks. Mirai was first unleashed on September 20, 2016, with attacks on the Krebs website reaching up to 620 Gbps. Soon after, OVH was hit with an attack which reached a staggering 1 Tbps. Both these attacks used in the region of 150,000 infected IoT devices, and produced volumes of traffic in DDoS attacks never seen before.

It is thought Krebs was targeted as he has exposed an Israeli group called ‘vDOS’ operating on the ‘Dark Web’ that rented out DDoS attacks (known as ‘DDoS-as-a-Service’). Soon after these attacks, the source code for Mirai was released on the Dark Web. This now gave other hackers and cyber criminals the opportunity to undertake massive DDoS attacks,which resulted in the Dyn incident.

In a change of tactic, the hackers attempted to take down part of the key infrastructure of the internet rather than just focusing on a single website.

This begs the question: Just how will DDoS attacks develop in 2017 and what will the future hold for internet security?

Vince Warrington, Director, Protective Intelligence

Image Credit: Profit_Image / Shutterstock