If you thought the massive Internet outage on Friday, Oct. 21, was over, you’d better think again. According to news reports that are just surfacing, the operators of the botnet are selling access to the formidable attack-network for $7,500 per 100,000 bots.
According to this Forbes post, Hackers Sell $7,500 IoT Cannon to Bring Down The Web Again, the sellers claim the “IoT Cannon” can deliver a stunning blow of 1 terabit of traffic. This network is, reportedly, the same botnet that delivered a powerful and substantial denial-of-service attack that targeted a service that provides critical Internet infrastructure support to many popular websites. The botnet consists of a high number of compromised IoT devices, including video cameras and video recorders, according to many reports on the incident.
The attack knocked offline several big name websites, including Amazon services, Tumblr, Twitter, Reddit, Spotify and Netflix.
The attackers aimed their bot army at Dyn DNS, which provides DNS (Domain Name Services) to many Internet destinations. A number of researchers claim that the attack on Dyn DNS leveraged, at least in part, the malware Mirai, which was used in the powerful 620 Gpbs attack on security blogger KrebsOnSecurity’s site recently. Last month, someone who claimed to have authored Mirai made the source code available so that anyone could build a botnet using the malware.
Mirai operates by scanning the Internet for IoT devices and attempts (often successfully) to compromise those devices. Once compromised, the devices can be used to fire bogus traffic at a website or online service. When the level of traffic becomes too high, the website can’t accommodate the traffic and essentially becomes unavailable. While the video below doesn’t pertain to this specific attack, it does show what a DDoS attack looks like.
Network services provider Level 3 Communications provides an overview on IoT botnets in How the Grinch Stole IoT. In its analysis, the company found that, of the half a million devices infected with Miria, 80 percent are DVRs.
Scary stuff. And now consider the number of IoT devices coming online in the next few years, dwarfing the number of traditional computing devices by 2020, according to BI Intelligence. By 2020 there will be 34 billion Internet connected devices, with 10 billion being traditional devices (smartphones, tablets, PCs) and 24 billion devices classified as IoT. If the security of these devices aren’t taken into account, we will be in for a rough time trying to maintain the performance and availability of Internet and cloud services.
There are groups trying to raise awareness and even legislate the IoT security practices.
Brian Krebs covers Europe’s push for new IoT security rules, here. According to his report, the Commission is planning the new IoT rules as part of a new plan to overhaul the European Union’s telecommunications laws. And earlier this month the Cloud Security Alliance published its guide, Future-proofing the Connected World: 13 Steps to Developing Secure IoT Products. The Cloud Security Alliance guide goes into great detail into how to design, build, and maintain secure IoT devices.
The question is, with billions of at-risk devices already deployed and billions more coming down the pipeline – is it too little too late?