DDoS attacks got a power boost thanks to hundreds of thousands of insecure IoT devices
Sep 26, 2016
Security researchers have been warning for years that poor security for internet of things devices could have serious consequences. We're now seeing those warnings come true, with botnets made up of compromised IoT devices capable of launching distributed denial-of-service attacks of unprecedented scale.
Octave Klaba, the founder and CTO of French hosting firm OVH, sounded the alarm on Twitter last week when his company was hit with two concurrent DDoS attacks whose combined bandwidth reached almost 1 terabit per second. One of the two attacks peaked at 799Gbps alone, making it the largest ever reported.
According to Klaba, the attack targeted Minecraft servers hosted on OVH's network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras.
With the ability to generate traffic of 1Mbps to 30Mbps from every single Internet Protocol (IP) address, this botnet is able to launch DDoS attacks that exceed 1.5Tbps, Klaba warned.
The OVH incident came after krebsonsecurity.com, cybersecurity journalist Brian Krebs' website, was the target of a record DDoS attack that flooded the site at a rate of 620Gbps. The attack eventually forced content delivery and DDoS mitigation provider Akamai to suspend its pro bono service to Krebs, pushing the site offline for several days.
According to Krebs, the attack was nearly twice the size of largest attack Akamai had seen before, and would have cost the company millions of dollars if it had been allowed to continue.
"There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called 'Internet of Things,' (IoT) devices -- mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords," Krebs said in a blog post.
On Thursday, antivirus and security vendor Symantec published a report warning that insecure IoT devices are increasingly hijacked and used to launch DDoS attacks. The company has seen the number of cross-platform DDoS malware programs that can infect Linux-based systems soar in 2015 and continue this year. These threats are designed to run on Linux-based firmware for CPU architectures commonly used in embedded and IoT devices.
Symantec's data shows that most of these systems are not compromised through sophisticated or device-specific vulnerabilities, but due to a lack of basic security controls. Attackers typically scan the internet for devices with open Telnet or SSH ports and try to log-in with default administrative credentials. That's unfortunately all it takes today to build a large IoT botnet.
Over 100 DDoS botnets built using Linux malware for embedded devices
Default and hard-coded credentials have led to the compromise of thousands of Internet-of-Things devices
Jun 30, 2016
LizardStresser, the DDoS malware for Linux systems written by the infamous Lizard Squad attacker group, was used over the past year to create over 100 botnets, some built almost exclusively from compromised Internet-of-Things devices.
LizardStresser has two components: A client that runs on hacked Linux-based machines and a server used by attackers to control the clients. It can launch several types of distributed denial-of-service (DDoS) attacks, execute shell commands and propagate to other systems over the telnet protocol by trying default or hard-coded credentials.
The code for LizardStresser was published online in early 2015, giving less-skilled attackers an easy way to build new DDoS botnets of their own. The number of unique LizardStresser command-and-control servers has steadily increased since then, especially this year, reaching over 100 by June, according to researchers from DDoS mitigation provider Arbor Networks.
The DDoS bot is very versatile, with versions for the x86 CPU architecture as well as ARM and MIPS, which are commonly used on embedded device.
IoT devices are perfect for DDoS bots, because they run some familiar variant of Linux, have limited resources so they don't have malware detection or advanced security features and, when they're connected directly to the Internet, they're typically not subjected to bandwidth limitations or firewall filtering.
The reuse of software and hardware components is very common in the IoT world as it simplifies and lowers the cost of development. Because of this, default credentials that were used to initially manage one device may later make their way into entirely different classes of devices, the Arbor Networks researchers said in a blog post.
IoT botnets can be very powerful. Arbor Networks investigated two of them that were used to launch attacks against banks, telecommunications companies and government organizations from Brazil, as well as three gaming companies from the U.S.
One of the attacks peaked at over 400Gbps and 90 percent of the hosts from which the malicious traffic originated responded over HTTP with a Web-based interface called NETSurveillance WEB.
"Doing some more research, the NETSurveillance WEB interface appears to be generic code used by a variety of Internet-accessible webcams," the Arbor Networks researchers said. "A default password for the root user is available online, and telnet is enabled by default."
This is not the first time that IoT botnets have been used to launch DDoS attacks. Researchers from Web security firm Sucuri just recently reported DDoS attacks launched from a botnet of over 25,000 CCTV cameras and digital video recorders.
LizardStresser is a DDoS botnet written in C and designed to run on Linux. The code consists of two halves – a client and server. The client is designed to run on compromised Linux machines which connect to a hardcoded C2 server. The protocol is essentially a lightweight version of IRC chat. Infected clients will connect to the server and receive commands, listed below.
The ability to launch a DDoS attack using a variety of attack methods:
HOLD – holds open TCP connections.
JUNK – send a random string of junk characters to a TCP port.
UDP – send a random string of junk characters to a UDP port.
TCP – repeatedly send TCP packets with the specified flags.
A mechanism to run arbitrary shell commands. Useful for downloading updated versions of LizardStresser with new C2s, or entirely different malware.
Propogation via telnet brute forcing. Clients connect to random IP addresses and attempt to login via telnet using a list of hard-coded usernames and passwords. Successful logins are reported back to the C2 for later assimilation into the botnet.
LizardStresser is extremely simple to compile and run. We’ve observed samples compiled for various architectures such as x86, ARM, and MIPS – the most common platforms for IOT devices.
More than half of IoT attacks originate from China & US
High numbers of attacks are also emanating from Germany, the Netherlands, Russia, Ukraine and Vietnam.
September 26, 2016
Cybersecurity firm Symantec’s Security Response team has discovered that cybercriminals are hijacking home networks and everyday consumer connected devices to help carry out distributed denial of service (DDoS) attacks on more profitable targets, usually large companies.
To succeed, they need cheap bandwidth and get it by stitching together a large web of consumer devices that are easy to infect because they lack sophisticated security.
More than half of all IoT attacks originate from China and the U.S., based on the location of IP addresses to launch malware attacks. High numbers of attacks are also emanating from Germany, the Netherlands, Russia, Ukraine and Vietnam. In some cases, IP addresses may be proxies used by attackers to hide their true location.
Most IoT malware targets non-PC embedded devices such as web servers, routers, modems, network attached storage (NAS) devices, closed-circuit television (CCTV) systems, and industrial control systems. Many are Internet-accessible but, because of their operating system and processing power limitations, they may not include any advanced security features.
As attackers are now highly aware of insufficient IoT security, many pre-program their malware with commonly used and default passwords, allowing them to easily hijack IoT devices. Poor security on many IoT devices makes them easy targets, and often victims may not even know they have been infected.
DDoS is Commonplace
IoT devices are the latest minions in cyber weaponry toolkits
Hunting for IoT devices with default passwords
SSH brute force attack numbers and trends
Telnet brute force attack numbers and trends
Telnet brute force attack origin countries
Top 10 countries scanning
Telnet and SSH attacks by ASN
Whyare Telnet attacks getting so popular?
Top 1000 ASNs launching SSH attacks
Top 1000 ASNs launching Telnet attacks
IoT Botnets DDoSing
IoT Botnets attacked multiple US state agencies
Android botnet DDoS attack
IoT DDoS Attacks Increasing
Where are the C & Cs? China, China, China
TCP Attack Abuse Warnings!