All you need to know about the recent major DDoS attacks
A Distributed Denial of Service attack (DDoS) on DNS provider Dyn last week managed to disrupt an array of the internet’s biggest websites including Spotify, Twitter and PayPal. The most interesting thing about this attack was that it was largely carried out using an Internet of Things (IoT) botnet called Mirai.
Mirai first came to public attention when it was used in a huge DDoS attack against a website by journalist Brian Krebs on September 20. It works by exploiting the weak security on multiple IoT devices and operates by continuously scanning for IoT devices that are accessible over the internet and protected by factory default or hardcoded user names and passwords. In a Security Response blog last month, Symantec published a research that indicated default user names and passwords for IoT devices are often never changed. Mirai infects devices with malware that forces them to report to a central control server, turning them into a bot that can be used in DDoS attacks.
Following the aforementioned Kerbs attacks, which was record-breaking at the time, Mirai was used in an attack on French hosting company OVH that peaked at 1 terrabits a second. However, it was last week's attack on Dyn, which brought a major part of the internet to a standstill. This issue raised questions about how powerful these DDoS attacks could become in future.
In a blog following the attack, Dyn said it had -"observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack.-" Upon further analysis, Dyn lowered that estimate.
Routers, DVRs, CCTV cameras and other 'smart' internet-connected appliances are at risk of being attacked. Webcams were the primary devices exploited in the Dyn attack while CCTV cameras are believed to have been the IoT device primarily utilized in the attack on OVH. These devices weren't protected by a firewall or router using NAT, which allowed them to be easily compromised. Additionally, many IoT devices take advantage of a feature known as Universal Plug and Play (UPnP) which opens a port on the router to allow them to be accessible from the internet. In fact, the Chinese electronics firm behind many of the webcams used in the attack on Dyn's services, XiongMai Technologies, issued a recall for many of its devices following the attack.
Poor security on many IoT devices makes them soft targets and attackers often pre-program their malware with commonly used default passwords. Processing power limitations and basic operating systems mean many IoT devices don’t have advanced security features. As they are designed to be plugged in and forgotten, owners often don’t apply security updates and it’s easy for an attack on such devices to go unnoticed.
Devices infected with Mirai can be cleaned by simply restarting them. However, due to constant scanning for devices by the botnet, vulnerable devices are re-infected within a matter of minutes of going back online unless the default credentials are changed. Symantec Security Response advises users to follow a few simple tips to protect their IoT device from becoming infected with malware.