Was IoT DDoS attack just a dry run for election day hijinks?

Internet of things influencing important things

clinton vs Trump poster illustration. Photo by Shutterstock/editorial use only

Comment The distributed denial of service attack that took down DNS provider Dyn, and with it access to a chunk of the internet, was one of the largest such assaults seen.

The attack exploited Internet of Things devices – notably webcams built by XiongMai Technologies. The gadgets had default login passwords that allowed them to be infected with the Mirai botnet malware, which commandeered the gizmos to overwhelm Dyn's servers.

The DDoS attack on the website of cyber-crime blogger Brian Krebs in September 2016 peaked at 665Gbps – nearly twice as big as any previously handled by Akamai, the web delivery firm that provided him with free security and site protection. Indeed it was so big that Akamai threw in the towel and Krebs’ site was taken offline. Since then Google has taken Krebs' website under its wing.

The attack on Dyn was twice as big – reportedly, more than 1TBps. In light of this, Dyn was broadly seen as dealing with the attack pretty well considering the truly massive scale of events. Dyn provides domain name services used by dozens of major clients from Amazon to Twitter and Netflix.

Register reader and commentator Nate Amsden said:

I wouldn't be surprised if it was even more than 1.2Tbps. Honestly as someone who has worked in the industry for almost 20 years (will say again been an enterprise dyn customer for 7 years and have run my own authoritative dns for 20) now it is hard for me to grasp that type of scale in attack form. That is over 1,000 times the size of my org's datacenter uplink to the internet.

The attack was claimed by New World Hackers, previously believed to have brought down sites run by the BBC, Donald Trump and NASA as well as Islamic State controlled websites and Twitter accounts. But the US Department of Homeland Security said it was not clear who was responsible but that investigations were continuing.

But even though this is one of the largest attacks seen to date, it has also raised fears that there is worse to come. The Mirai malware source code is now freely available for anyone to use to create massive botnets of vulnerable devices.

Infosec experts have long warned that IoT gadgets are a security nightmare. Consumer and business devices are often deployed with little or no consideration of security. Many of these IoT devices ship with a default password that is difficult or impossible to change; users do not bother to change the passwords even if they can do so, and are not prompted to do so by the device manufacturers. This leaves an open door for malware and hackers to slip through unnoticed.

Most non-PC devices such routers, modems, cellular modems, digital video recorders and IoT sensors are almost perfect weapons for attackers – they don’t typically run antivirus software; they don’t get updated regularly or can’t be updated; and they are often left switched on 24-hours a day.

Even if IoT devices are deployed with security in mind, checking the hundreds or even thousands of individual devices used in a factory or office environment control system is a daunting task.

Even competent home users may not bother to create a unique password for each individual webcam or sensor if they’re putting up eight or ten around their property.

There are various hints that last month's attack might have been just a test or practice run for an even more serious future attack.

DDoS specialist Corero claims it has found a new DDoS vector which has an amplification factor of up to 55x. The company has only seen short duration attacks against a handful of its customers exploiting LDAP – the Lightweight Directory Access Protocol. One recent attack reach 70Gbps in volume, we're told.

Easily infected IoT devices could be used to unleashed an LDAP-amplified attack on servers.

Dave Larson, chief technology officer at Corero Network Security, said: “This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison...With attackers combining legacy techniques with new DDoS vectors and botnet capabilities, terabit-scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions.”

Given the fevered and febrile atmosphere of the US presidential election, no one will be surprised if the next major assault is politically motivated.

In September, Newsweek was hit by a distributed denial of service attack after posting a story alleging Donald Trump secretly did business in Cuba a long time before the US trade embargo was lifted.

While Trump has encouraged Russian hackers to attack government systems, and the White House has publicly accused Putin’s government of hacking attacks designed to interfere with the US presidential election, it is no surprise that some observers are predicting an attack on election day.

Certainly last week’s attacks did seem rather randomly targeted, which is why some fear an attack during election day on November 8. This could take the form of an even larger DDoS attack to disrupt the exchange of information on the day, send a message to the American public, or happen just because some people like to see the world burn.

It could also be used to hype up misinformation that voting and tallying systems have been hacked. Given that Trump has already made repeated claims that the ballot will be fixed, a successful hack doesn’t need to be a hack at all – just enough to sow seeds of doubt. Perhaps a massive November 8 DDoS attack will do just that. ®


Biting the hand that feeds IT © 1998–2017