DDoS of Things

The tendency to connect more and more devices to the Internet has overflown well beyond our computers and smartphones. This high level of interconnection has brought us to be capable of controlling and communicating with anything ranging from garage doors, clothing, fridges, gates, surveillance cameras, security sensors, watches, pet equipment or even umbrellas. Everything labelled as “smart” is connected to the Internet which makes it a lot easier for users to communicate with it.

“A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send and receive data”.

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

How One AI-Driven Media Platform Cut EBS Costs for AWS ASGs by 48%

– Oxford definition for the Internet of Things

It’s considered as the next step in the evolution of the Internet and offers many advantages and opportunities as well. The problem is the bad guys know it too. Using the fast emerging IoT, hackers can take control of vast amount of hardware to send out their malicious attacks.

An illustration of a smart home with various connected devices.
Image Source

Tweet this: IoT offers many advantages and opportunities. The problem: Bad guys know it too

The rush to connect everything and launch smart products has somehow brought people to almost completely neglect the security aspects of all those smart things. Security, if it’s considered at all, is often an afterthought for IoT devices. This big scale oversight has everyone more susceptible to cybercrime, regardless if they own IoT devices.

Unsecured IoT devices are easily recruited into malicious botnets to launch DDoS attacks. One such example was recently reported by Sucuri, where they mitigated a DDoS that leveraged over 25 000 CCTV devices which peaked at 50 000 HTTP requests per second.

IoT Malware

Given that IoT device users often deploy them while keeping the generic passwords, usually the same for entire classes of devices, hackers use softwares armed with specific lists of usernames and passwords to brute-force crack into the devices and gain control over them. Due to the very nature of these devices, an infection in a long-forgotten CCTV for example, can take a long time before the owner of the infected device notices any anomalies.

That’s why developers of DDoS toolkits can potentially build up a botnet army comprising of a number of infected devices that dwarfs anything possible by traditional PC-based botnets.

The experts at Level 3 Threat Research Labs have been tracking a family of malware that targets IoT devices with the intent of creating DDoS botnets. They reported that hackers have been using LizardStresser variations, that go by many names such as Lizkebab, BASHLITE, Torlus and gafgyt, to recruit their IoT botnets. The source code for the malware was leaked in early 2015 and has since been spun off into many variants.

A visual representation of binary code with the word 'MALWARE' highlighted in red.
Image Source

Tweet this: Lizard Stresser variations – favorite IoT based DDoS toolkits

The botnets expand by scanning for vulnerable devices in order to install the malware. Two primary models for scanning exist:

  1. Instructing bots to port scan for telnet servers and attempting to brute force the username and password to gain access
  2. Using external scanners to find and harvest new bots

The latter model which is growing in popularity, adds a wide variety of infection methods, and often scans directly from the command-and-control (C2) servers.

Lately, researchers from MalwareMustDie have also reported a newly discovered and still poorly detected piece of Linux malware, called Mirai, being used to hijack IoT devices into DDoS botnets. Mirai is considered to be a direct descendant of an older, previously mentioned Trojan known as Gafgyt.

There has been a variety of malware implementations from different actors with infection vectors, scanning methods and overall sophistication expected to evolve.

IoT Bot Landscape

IoT devices are being increasingly targeted by hacking organisations like Lizard Squad and Poodle Corp with the intent of building botnets to launch DDoS attacks. These massive botnets are then used for their own malicious agendas or even rented to other individuals, which is also known as DDoS-as-a-Service.

So far, IoT bot herders are favoring security camera DVRs as targets mainly because they are often left configured with default credentials, making them easy prey for hijackers. This kind of devices come with enabled telnet and web interfaces, and when combined with bandwidth required to stream video they become a powerful class of DDoS bots.

Two security cameras mounted on a pole under a cloudy sky.
Image Source

Tweet this: IoT bot herders are favoring security cameras. Default credentials = easy prey

Geographically, of the IoT bots observed by Level 3 and reaching more than 1 million devices, a large percentage are located in Taiwan, Brazil and Colombia. A vast majority were using white-labeled DVRs along with DVRs manufactured by Dahua Technology.

As for device types of the observed botnets, almost 96 % were IoT devices (mainly cameras and DVRs), 4 % were home routers and less than 1 % were compromised Linux servers. It’s a major change from traditional server and home router based DDoS botnets. It all points to the conclusion there’s a huge shift going on in the composition of botnets.

Command and Control Servers (C2s)

The C2 used in IoT based DDoS attacks have their IPs hard-coded into the malware, often specifying only a single IP address, in contrast to more sophisticated malware, which utilizes a variety of techniques to provide higher resiliency.

The overall lack of sophistication is not a concern for IoT bot herders because it’s quite easy for them to create a new C2 and re-compromise their bots. Many of these botnets are capable of producing powerful attacks as large as hundreds of gigabits per second.

Level 3 Threat Research Lab also reports a huge variation in terms of C2 controlled bots. With the median C2 controlling 74 bots but the largest C2 communicating with nearly 120,000 bots and we expect the number of bots to actually be higher.

IoT Based DDoS Anatomy

After the attacker manages to gain control over the device, they do not bother to identify the architecture of it as they immediately execute both the “busybox wget” and “wget” commands (small applets that run in the background of Linux systems) to retrieve DDoS bot payloads. It’s then they run multiple versions of the malware constructed for various architectures (up to 12), until one executes.

IoT DDoS attacks targets are mostly residential users, but also popular gaming platforms and sites. The majority of the attacks were simple UDP and TCP floods. High bandwidth attacks are more likely to run UDP floods which are also more common, while high packets-per-second attacks launched mostly TCP floods and are decreasing in popularity. Some variants also support HTTP attacks. Even if it’s supported, spoofing of source addresses was rarely used with these malwares.

It’s important to note how reflected attacks are absent from this type of attacks. That’s why perpetrators use multiple families of malware, it allows them to broaden their arsenal.

When talking about the duration of IoT DDos attacks they are fairly short-lived, with the median duration just over 2 minutes, and 75 % of attacks under 5 minutes.

How To Defend

The rise in the number of compromised IoT devices paired with an alarmingly low level of security standards within the IoT world has brought OWASP to react and launch yet another security project. As stated on their official page, the OWASP Internet of Things (IoT) Project is designed to help manufacturers, developers, and consumers better understand the security issues associated with the Internet of Things, and to enable users in any context to make better security decisions when building, deploying, or assessing IoT technologies. The project looks to define a structure for various IoT sub-projects such as Attack Surface Areas, Testing Guides and Top Vulnerabilities.

Logo of the Open Web Application Security Project (OWASP),featuring a stylized butterfly and the organization's name.
Image Source

Tweet this: ACL, SNORT & YARA rules – quick IoT security measures

Until a comprehensive guide is completed there are some security measures available to IoT administrators in order to secure their devices:

  • Access Control List (ACL) – If permissions are not specified by the manufacturer, it should be done as soon as possible. Extreme caution is recommended when configuring read/write permissions.
  • SNORT – Useful open source program for the layer-7 Get flood.
  • YARA Rules – A tool that helps identify and classify classify files or running processes to determine what family the malwares belong to.

Conclusion

The abuse of IoT devices for botnet misuse is nothing new, but as they become more frequent, IoT based DDoS botnets are sure to increase in number and power. While hosts and home routers continue to be targeted, hackers will most likely follow the easier path. Instead of spending more energy on traditional bot hosts, they’ll take advantage of the abundance of insecure IoT devices. Even though IoT platforms as launching pads for DDoS attacks are reported in small numbers and only a few attacks have been launched and with relatively insignificant impact, as IoT becomes more present and more standardized – more and more opportunities and higher levels of sophistication are arising for cybercriminals.

Vendors of IoT devices should work to improve their security to control this growing threat. However, if you have one of these devices, standard security best practices advice applies. Some types of IoT devices don’t allow you to configure what services are exposed, and some use hardcoded credentials that can’t be changed, leaving owners with few options. It’s why researching the capabilities of these devices before purchase is just as important as their operation after they are deployed. Until IoT device manufacturers start improving their security standards and device owners stop connecting them insecurely to the internet, the trend is expected to continue to grow.

If you are suspecting a DDoS attack or bot abuse, contact our experts to find the quickest and most suitable solution.

Latest Articles

Three Ways CISOs Can Combat Emerging Threats in 2025

73% of CISOs fear a material cyberattack in the next 12 months, with over three-quarters convinced AI is advancing too quickly for existing methods to combat it. But what can CISOs do to prepare for the coming wave – and access the resources they need to deal with this evolving threat landscape? To find out, […]

11th November, 2024
How Optimizing Kafka Can Save Costs of the Whole System

Kafka is no longer exclusively the domain of high-velocity Big Data use cases. Today, it is utilized on by workloads and companies of all sizes, supporting asynchronous communication between even small groups of microservices.  But this expanded usage has led to problems with cost creep that threaten many companies’ bottom lines. And due to the […]

Itay Tal Head of Cloud Services
29th September, 2024
Migrating Volumez RedHat VMs into Amazon Linux 2 for higher effective discounts rate of Saving Plan

A cloud data infrastructure company relied on extensive use of multiple instance types to test its products. But this made it difficult to optimize costs – a fact which had begun to impact their ability to scale the business.   The GlobalDots team helped the company identify and implement a new infrastructure configuration that both saved […]

Itay Tal Head of Cloud Services
19th September, 2024
How Yuki Achieved SOC 2 Compliance 6x Faster

Overview A fast-growing Snowflake optimization platform was missing out on customers because they didn’t have the right data security compliance. Through multiple consultations and extensive vendor-testing, the GlobalDots team selected a solution to provide both tech and human support, helping the company achieve SOC 2 compliance within just 3 months – and win new customers […]

Itay Tal Head of Cloud Services
16th September, 2024

Unlock Your Cloud Potential

Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.

    GlobalDots' industry expertise proactively addressed structural inefficiencies that would have otherwise hindered our success. Their laser focus is why I would recommend them as a partner to other companies

    Marco Kaiser
    Marco Kaiser

    CTO

    Legal Services

    GlobalDots has helped us to scale up our innovative capabilities, and in significantly improving our service provided to our clients

    Antonio Ostuni
    Antonio Ostuni

    CIO

    IT Services

    It's common for 3rd parties to work with a limited number of vendors - GlobalDots and its multi-vendor approach is different. Thanks to GlobalDots vendors umbrella, the hybrid-cloud migration was exceedingly smooth

    Motti Shpirer
    Motti Shpirer

    VP of Infrastructure & Technology

    Advertising Services