Here’s how anyone with $20 can hire an IoT botnet to blast out a week-long DDoS attack

Distributed denial of service (DDoS) attacks continue to erupt all across the Internet showing not the faintest hint of leveling off, much less declining, any time soon.

Related video: How DDoS attacks leverage the Internet’s DNA

To the contrary, DDoS attacks appear to be scaling up and getting more sophisticated in lock step with digital transformation; DDoS attacks today are larger, more varied and come at the targeted website from so many more vectors than ever before.

This is borne out by Akamai Technologies’ Summer 2018 Internet Security/Web Attack Report.

Akamai, which optimizes the delivery of content for large enterprises, measured a 16 percent increase in the number of DDoS attacks recorded since last year.

GitHub’s logo

That increase included far and away the largest DDoS attack ever recorded, when the popular code-sharing website GitHub got inundated by an astounding 1.35 terabytes per second of nuisance traffic. The attackers responsible for the GitHub attack very cleverly leveraged something called memcached database servers.

They accessed these otherwise obscure servers — which make up part of the Internet’s open infrastructure —  and used them to massively amplify traffic directed at GitHub — to deafening levels.

Of course, we’ve not seen the last of these types of innovative, brute-force attacks. But that’s not all. DDoS attacks are evolving to become more diverse. A nascent cottage industry is starting to gel around DDoS botnets-for-hire, comprised of millions of compromised IoT devices. IoT botnets can be hired to execute smaller-scaled DDoS attacks designed to knock out a networked application, rather than a whole website.

I had the chance to visit with Don Shin, A10 Networks’ Senior Product Marketing Manager, at Black Hat USA 2018. A10 is a leading supplier of advanced DDoS detection and mitigation systems. We discussed how adept DDoS attackers have proven to be at moving quickly to exploit a seemingly endless supply of fresh attack vectors, opened up by digital transformation. For a full drill down on our discussion please listen to the accompanying podcast. Here are a few takeaways

Targeting simplified

Psst. Would you like to knock someone’s website offline for whatever reasons? Maybe you’d like to make a political statement, or perhaps discredit a business rival’s online operations? Got twenty bucks to spare? That’s all it takes to retain a botnet-for-hire vendor who will be happy to send nuisance traffic at the rate of 300 gigabits per second to any IP address you designate.

That’s not a  “volumetric” DDoS attack by today’s standard. But consider that a 300 GBPS DDoS attack represented at record attack just five years ago. Today that’s still more than enough nuisance traffic to knock off line any website that isn’t using a paid DDoS mitigation service, which is the vast majority of sites.

“We’re seeing the commoditization of DDoS attack services,” says Shin. “It used to be that in order to be able to create a high volume attack you had to go and create your own botnet. However, right now there’s so little effort needed to accumulate an IoT botnet that we’re seeing these underground DDoS-for-hire services coming down into the $15 per week range.”

It has become trivial for anyone with malicious intent to contract a DDoS service  to  deliver an attack against whoever their victim might be. “Targeting simplification is a really a big problem for our industry right now,” Shin says.

IoT force multiplier

By Gartner’s estimate there will be about 25 billion IoT devices in service by 2021. DDoS threat actors are already proactively seeking to take full advantage.

They realize that each IoT device, whether it be a home router, surveillance camera, office machine, medical device, or what have you, is a fully functioning computing nodule – one that’s likely off anyone’s radar, just waiting to be exploited.

“These are weapons that have a lot of capabilities and the security hygiene just isn’t there,” Shin observes. “These tend to be very simple devices, but they have a full Linux  kernel with a full networking stack available to them. ”

Many IoT devices come equipped with what’s known as a “headless” browser, that is, lacking any user interface.  “Headless browsers are fully capable of making requests to a web server in a correct fashion,” Shin says. “So it’s very hard to distinguish an attacking agent versus a legitimate user.”

The way forward

Another aspect of how threat actors are becoming more sophisticated is their rising use of automation. The GitHub attackers, for instance, likely used automated web crawlers to seek out vulnerable memcache servers to take control of


“What’s happening is the attackers are scanning the Internet looking for their weapons. And they are also using automation to morph an attack once it is underway,” Shin says. “This allows them to adjust for what the defenders may be doing.”

There nothing stopping companies from assigning an in-house researcher to conduct much the same automated searches and thus find and address festering security holes before threat actors do.  “This means we must automate our defenses to be able to keep pace with what the attackers are doing today,” Shin says. “Manual defense is just not enough.”

Meanwhile, unpredictable geopolitical and global economy developments suggest that the frequency and sophistication of DDoS attacks will continue to intensify. In response, many leading vendors and government officials are pushing hard for more sharing of cybercrime intelligence.

“What we have to do is make community-based intelligence actionable,” Shin says. “Threat researchers can tell us where vulnerable memcache servers are all located, or where open DNS resolvers are being used for reflected amplification attacks, or what are the IP addresses of IoT devices being used in an IoT DDoS attack. The goal should be to channel all of this information into an actionable defense strategy of blocking the attacker before they can do damage.”

(Editor’s note: LW has supplied consulting services to Trend Micro)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: