The Internet Of Poorly Secured Things Is Fueling Unprecedented, Massive New DDoS Attacks
from the build-it-poorly-and-they-will-come dept
Last week, an absolutely mammoth distributed denial of service (DDoS) attack brought down the website of security researcher Brian Krebs. His website, hosted by Akamai pro bono, was pulled offline after it was inundated with 620Gbps of malicious traffic, nearly double the size of the biggest attack Akamai (which tracks such things via their quarterly state of the internet report) has ever recorded. Krebs was ultimately able to get his website back online after Google stepped in to provide DDoS mitigation through its Project Shield service.
According to Krebs, the attack came, he believes, after he began digging more deeply into various gangs that deliver DDoS attacks on-demand. And according to Krebs, this time they had the help of the hystercially piss poor security of the internet of things (IoT) industry:
“There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called ?Internet of Things,? (IoT) devices ? routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.”
So not only are “smart” refrigerators, TVs, tea kettles and power outlets leaking your unencrypted data to any nitwit with a modicum of technical knowledge, they’re being utilized to amplify existing attacks on security researchers who are actually trying to make things better. The attack comes directly on the heels of Bruce Schneier warning us the check is about to come due — after IoT companies and evangelists that prioritized hype and sales over security fundamentals helped introduce millions of new network attack vectors into the wild over the last five years or so.
In a recent blog post, Schneier also noted that these larger DDoS attacks come as multiple groups and individuals (likely nation state sponsored hackers) have begun probing for vulnerabilities on an unprecedented scale:
“Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.”
And they’re finding, as many have warned, millions of poorly secured Internet of Things “smart” devices with stupid default passwords — or in many instances no security at all. In most instances the buyers of these products are utterly clueless of their participation in these botnets, and very frequently these devices don’t give the end user transparent end control over what’s being sent over the network anyway.
In a follow-up blog post by Krebs, he makes it clear that in addition to being immensely dangerous (potentially fatal if the right systems are targeted), these larger scale DDoS attacks propped up by the IoT should also be seen as a growing assault on free speech. After all, few independent journalists would be able to afford the kind of DDoS mitigation technologies necessary to truly stop these new, larger attacks:
“In an interview with The Boston Globe, Akamai executives said the attack ? if sustained ? likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.
For a country that likes to talk a lot about cybersecurity (mostly to justify awful government policy like backdoors that make us less secure than ever), the United States isn’t doing all that much to mitigate the looming threat. Much like Schneier, Krebs calls for a more coordinated effort by industry and government to wake up and begin greater institutional-grade collaborative efforts to shore up our collective security before things spiral out of control:
“I don?t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.”
And it probably goes without saying that this threat looms as we ponder electing two of the least technically sophisticated Presidential candidates in recent memory. These are two researchers who aren’t prone to hyperbole, so it seems like we might just want to take their advice before the Internet of Things devolves from a running gag into a potentially fatal shitshow.
Filed Under: brian krebs, ddos, iot, security
Companies: akamai
Comments on “The Internet Of Poorly Secured Things Is Fueling Unprecedented, Massive New DDoS Attacks”
Gentlemen, start your firewalls!
It seems like the best way to stop attacks like these is for the major home ISPs to block pings, or ICMP in general.
It’s sad its come to that.
Re: Gentlemen, start your firewalls!
It seems to me that the best thing you can do is to block outbound connections by default and liberate only what should be going out and through specific channels. I’ve read it’s more effective than trying to block what goes in and it makes sense in some ways. Specially if your things or the OS are the talkative types.
Re: Re: Gentlemen, start your firewalls!
Good in theory, but we are talking about ISP’s .. Not very likely that Comcast is going to manage outbound firewall rules for its millions of customers
Re: Re: Re: Gentlemen, start your firewalls!
I was talking about local settings (ie: your own router) but even in the ISP level there is something that can be done about traffic patterns. I mean, if you see a huge spike of interest towards a certain source that is sustained then something is wrong and you can act to stop it from your end too. As Krebs said, it would need to be a coordinated effort that won’t generate any profits so it will only happen when the losses are greater than the cost of the effort.
Re: Re: Re:2 Gentlemen, start your firewalls!
That’s not likely to be all that possible with IPv6 and IPv6 is likely to be even more required with IoT. Getting an IPv6 enabled router to filter your own devices properly right now is technically challenging even with things like OpenWRT, much less the crap software that’s typically installed on a home router. Full statefull IPv6 connections with firewalls are tough on things like VoIP and require some finesse.
Until these things become more accessible (i.e. automated), it’s an issue for the average Joe.
Re: Gentlemen, start your firewalls!
Large DDoSes like this are often DNS reflection or NTP reflection. Blocking ICMP will not help
Re: Re: Gentlemen, start your firewalls!
Exactly, there are multiple ways to perform a DDOS attack.
Re: Re: Gentlemen, start your firewalls!
If you read what Krebs wrote after the attacks you’ll see it wasn’t any technique like that. The attack came directly from thousands of devices, mostly DVRs and IP cameras. Even harder to fend off by himself.
Re: Re: Gentlemen, start your firewalls!
That may be, but –
How would an unhacked IOT device have anything to do with changes to DNS or NTP unless it was designed to be a hacker tool to begin with?
Re: Gentlemen, start your firewalls!
How would stopping ICMP help? The attackers could just switch to using TCP port 80 or 443–nobody’s going to block that, and it would use more CPU. And actually, if you compromise some large ad networks or web sites, you could have a ton of clients make lots of “normal” web requests to your target.
It's all an attitude problem.
To paraphrase a quotation from an earlier event where warnings were given and ignored:
“God himself couldn’t sink this internet!”
“Krebs was ultimately able to get his website back online after Google stepped in to provide DDoS mitigation through its Project Shield service.”
“Akamai would cost between $150,000 and $200,000 per year.”
Damn that free speech hating Google.
Whatever’s head is going to explode.
This is why self-driving cars must be banned
We’ve already seen massive security holes in automobile computer systems — some of them so large that the automobile computer system IS the security hole. We’ve also seen that the manufacturers’ response to this is denial, stonewalling, retaliation, censorship, litigation, etc. At no point has there been the slightest indication that any of them actually want to seriously address the problem.
Which means that every car coming off the assembly lines, as well as all the ones that already have, is a bot waiting to happen. And self-driving cars aren’t magically exempt from this.
As I’ve so often said, if someone else can run arbitrary code on your computer, it’s not your computer any more. When that computer is a laptop sending spam, this is annoying. When that computer is managing a multi-thousand pound vehicle moving at 65MPH in traffic, it’s a catastrophe.
Re: This is why self-driving cars must be banned
Maybe we should ban mechanical cars too. There are plenty of ways to sabotage those as well.
However, with self driving, the blame can go squarely on the manufacturers which will bring an inherently similar problem. That is MFG claiming that their tech must be proprietary to protect it, which is a load of shit but so are politicians. And when you put two loads of shit together you get a couple of somethings in competition to stink to higher heavens.
Re: Re: This is why self-driving cars must be banned
Maybe we should ban mechanical cars too. There are plenty of ways to sabotage those as well.
Tell me about the ways that they can be sabotaged without ever coming into physical contact with them.
Tell me about the ways that they can be sabotaged in milliseconds.
Tell me about the way that they can be sabotaged without being detected by competent mechanics or even expert mechanics.
Tell me about the ways that they can be sabotaged while passing by at 65 MPH.
Tell me about the ways that they can be sabotaged en masse.
Tell me about the ways that they can be used to sabotage other cars.
Tell me about the ways that they can be placed under remote control individually or as a group.
Re: Re: Re: This is why self-driving cars must be banned
You seem to have a bit of an arbitrary set of guidelines for when something becomes too dangerous to be manufactured and sold.
Is it that something must satisfy all or just one of these?
I’m pretty sure a spike strip on the highway at night would handle most of these on any traditional car.
Banning something outright because we can come up with scenarios that “make it dangerous” would have prevented the wheel from being used. While there are certainly security issues to be fixed with self-driving cars – and these are a big problem – they are currently safer than human driven cars and getting safer every day.
Oh, and self-driving cars don’t need to have critical systems hooked to the internet.
Re: Re: Re:2 This is why self-driving cars must be banned
I think you’re both being obtuse, TBH.
You’re deliberately ignoring the huge difference of scale between sabotaging traditional cars and internet-connected ones, and the serious warning signs that these vulnerabilities are being ignored and security treated as an afterthought.
He’s ignoring that these issues exist in all internet-connected cars, not just self-driving ones, and proposing an unrealistic and excessive solution to a(n admittedly real and serious) problem.
What we actually need is for auto companies to start taking security seriously. Unfortunately, for that to happen will require either sensible regulation or market incentives. What’s unfortunate about that is that we don’t have a Congress that has the knowledge or the inclination to pass sensible regulations, and “market incentives” here mean people start dying, because I’m very much afraid that’s what it’s going to take before auto makers’ profits are impacted enough for them to start prioritizing security.
Re: Re: Re:2 This is why self-driving cars must be banned
I think what you’re missing is that there are fundamental differences of scale in play here. Sure, a single car can have its brakes sabotaged, but that takes time, is hard to do competently, may be detected, and affects only that car.
A security vulnerability in a self-driving car means that (at least) all those of the same make/model are vulnerable simultaneously.
Don’t picture one car going out of control. Picture every single one of that make/model on the highways within 15 miles of a city center being taken over during evening rush hour — and turned into a directed precision-guided kinetic weapon. Now picture it happening in two cities, or twenty.
The risks are incredibly higher for self-driving cars. (They’re not nonzero for non-self-driving cars carrying sophisticated computer systems, by the way, but those would be harder to commandeer. Self-driving cars are DESIGNED to be driven via automation.)
And on September 27, 2016, there is absolutely no sign whatsoever that auto makers are paying the slightest attention to the myriad security issues out there — well, other than by trying to silence the researchers who found them, denying them, and lobbying Congress to make sure that it stays just as ineffectual as it has to date.
It will probably take a horrible incident like the hypothetical I posed above to spur action on this. It will be too late, MUCH too late by then, of course: you can’t retrofit security. Not really. Not effectively. It has to be designed-in from the whiteboard stage. And we’re already well past that. But there will be the usual calls for Something To Be Done and it will be: badly.
Maybe I’m wrong. I hope I’m wrong. But I doubt it.
Re: Re: Re:3 This is why self-driving cars must be banned
That’s not entirely accurate; Tesla was pretty quick in pushing out an update recently when researchers demonstrated a way to remotely engage brakes.
But (1) that’s technically not a self-driving car and (2) that could very well be a reaction to the scrutiny Tesla’s Autopilot feature has gotten over the past few months since there have been a couple of fatalities.
Re: Re: Re:3 This is why self-driving cars must be banned
Certainly there is concern, and I think we need to get auto manufacturers to put security at the top of the list rather than the bottom, but humans are susceptible to a number of things that could cause all kinds of highway havoc.
A blinding light, an extremely loud sound, etc. Heck, a disabled car on the side of the highway causes traffic jams and collisions all the time these days. The idea that a hacker could cause all self-driving cars on a stretch of highway stop seeing obstacles is scary, but I’m not sure it would be any more difficult to do it to people than it is to do to an autonomous car.
Re: Re: Re:4 This is why self-driving cars must be banned
but humans are susceptible to a number of things that could cause all kinds of highway havoc.
Yes, BUT, and this is what you’re missing, the scale is limited. The most catastrophic human-caused traffic accidents — cascading highway pileups, usually in bad weather — are extremely localized and very limited. Figure a quarter mile and a hundred cars as a rough idea of the scale.
Now multiply that by dozens for one city. Now multiply that by dozens for multiple cities. Now factor in that it can be done again an hour (because nobody will be able to react quickly enough to stop it). Now factor in that it WON’T be an accident, that is, that it will be done deliberately: accelerators engaged, not brakes, and cars steered into each other, not away.
Think that’s far-fetched? Okay. Listen:
15 years ago, the only people people who envisioned the possibility of an enormous global network of bots were those who’d read John Brunner’s The Shockwave Rider and those who’d had some exposure to software worms. A few years later, there were over a hundred million. The scale of the problem became intractable in an alarmingly short time, and the only reason consequences haven’t been worse is that almost none of those systems have control over physical devices. But they’ve been bad enough: billions have been expended fighting them and yet they continue to do damage to Internet infrastructure.
We are now seeing the same thing happening with the IoT, because — apparently — people were too stupid, too lazy, too ignorant, and mostly too arrogant to learn from the last episode. This includes the people building self-driving cars, who are so full of self-admiration that they’re not considering what will happen if they succeed.
“We were so concerned with getting out that we never stopped to consider what we might be letting in, until it was too late.” — Leela Alexander
Re: Re: Re:3 This is why self-driving cars must be banned
Like everything else it depends on effort.
There are multiple ways to massively mess with mechanical devices, they are just not as practical as attacking an electronic device that was never given proper security to begin with. Look at the killdozer, he only needed to molest a single mechanical device to fuck with a lot of others. Are you going to say that because bulldozers can easily be converted into cheap but damn effective tanks should be outlawed as well?
Manufacturers these days cannot resist the call to keep their creations connected and compromised at all times. The plebs known as consumers are entirely ignorant of the risks and essentially do nothing about it. There are quite a few ways that electronics can be made to be remotely unhackable.
Re: Re: Re: This is why self-driving cars must be banned
How about using a B1 Lancer with a crapload of bomblets flying over a massive crowded highway?
Or just a couple of nukes?
I’m pretty sure either of those would satisfy most of those criteria 😉
Re: This is why self-driving cars must be banned
Disagree. There’s no need to ban those, you just need to do security properly. They will need input so keeping them offline might not be a good idea but you can prevent any remote modification to anything (ie: read only mode). I’m sure there are plenty of ways to do it right. There’s no need to ban them.
Re: Re: This is why self-driving cars must be banned
Theoretically, and on principal, there is no reason to ban them. (Or the non-self-driving equivalent trash that has been around for a while and getting only worse.) Realistically, practically, historically, no one is securing anything. They add vulnerabilities. Unnecessary ones at that. They add bugs.
Unless they are forced to treat IoT, cars and similar things especially, as military-grade in terms of hardening, not allowing unnecessary bundling of systems and limiting connectivity, with with a well coded and tested RTOS, well we are just waiting for worse things to happen. They always do. Rights and ideals or not, no innovation or market is going to cause these things to be fixed as they should be. It has not happened so far. Regulation is a crapshoot and then we have people discussing how much it hurts innovation with unnecessary burden. And it could make things worse. Or it could be entirely clueless.
I don’t have any suggestions other than what you have already pointed out. Only no one is going to do it.
My refrigerator had internet access, then I started finding pictures of nude washer-dryer sets and worse. Had to cut the connection entirely….
Re: Re:
Imagine if it had radicalized and joined ISIS…
Re: Re: Re:
We could end up in another cold war…
Smart Refrigerators?
Why would someone…
‘Smart’ appliances are expensive! Who the hell can afford one?! How could they even be such a problem!
Re: Smart Refrigerators?
I have a Smart capable water heater. I bought it for the 10 year warranty not the smart features. It needs an extra adapter to connect it up that I didn’t purchase. If I did, it was capable of setting up schedules that control the status and temp. You could optimize your water heater schedule and save money on power.
Re: Re: Smart Refrigerators?
You could optimize your water heater schedule and save money on power
Your data overages from your water heater running a DDoS attack might cost you more than you save.
Is 620 Gbit/s really that much?
620 Gbit/s is… 620 Google Fiber subscribers. Compromising a single apartment block could get you this kind of bandwidth (not really, with GPON being a shared medium, but a thousand people spread out could do it). Should we still be acting like this is a crazy amount of traffic?
The amount of bandwidth available to individuals also hints at a possible solution: peer-to-peer delivery. Krebs is publishing basically static content. He could attach a digital signature to each article and put it on BitTorrent. Realistically, we need to make something like this that’s more usable–built in to browsers, allows comments, doesn’t publically reveal who’s reading, etc. And BitTorrent isn’t great for tiny files. Still, it seems like something that would just need a bunch of hard work rather than years of research.
Seems like the best long-haul approach to resolving these kinds of problems is to sue the companies making these devices for enabling them to be used in DDOS attacks and other hacks, thereby collaborating with the attackers.
Re: Re:
I fear you may be right. Companies aren’t going to focus on security until security breaches start costing them more money than security developers.
Suing companies for security negligence is (like suing anybody) something of a crapshoot. But if it starts to happen often enough, and harm enough companies’ reputations, it could make a real difference.
Re: Re:
Well, first you have to prove doing so is either:
a) illegal;
b) an actionable tort.
If there is no law requiring them to secure them, then there is no illegal act.
To bring a tort action, you’d have to also prove that you HAVE been (not could oneday mighta sorta be) actually damaged.
JM Porup has an article at Ars called Unsafe at any clock speed: Linux kernel security needs a rethink; it’s something to chew on.
The cynic in me thinks this is exactly what those who are supposed to be protecting this want.
An excuse to pass more laws that restrict citizen rights in the name of protecting that which they intentionally left exposed.
Re: Re:
I’d apply Occam’s/Hanlon’s Razor here, rather than assume a conspiracy.
IoT devices are insecure because it’s cheaper and easier than making them secure. No need for any shady backroom scheming.
surpise on how often simple things are open
long while back. black ice firewall was still around. i stumble on a issue with their firewall software. tech sent me a link to a download on the site. when i click it. it went to ftp. so k i wonder around clicking folder etc. to my surprise their whole company server was on the ftp. so all doc,software etc. was easy to access. not password or user names. i was shock. so a took a image and sent a email to their tech support. on hey your whole company open to the web. they where very thankful on me letting them know
Re: surpise on how often simple things are open
“To anyone who is still stubborn enough to insist that BlackICE Defender is actually good for something: PLEASE do not write to me. I don’t want to hear it. I’m a scientist who will not find your mystic beliefs to be compelling. I respect your right to your own opinions, no matter how blatantly they fly in the face of logic and reality. That is, after all, the nature of faith. Happy computing. I suggest prayer.”
– Steve Gibson
Perspective
Just to put the sheer volume of this attack in perspective, this is 620 gigibits per second, not bytes. That’s 77.5 Gigabytes every single second.
Right now the movie with the largest number of seeds on TBP is the new Tarzan movie (counting only HD movies.) It is 1.69GB, which is fairly standard for HD Video torrents, and has 2424 seeds. Now, due to the way BitTorrent works, nearly all of those seeds do NOT have a full copy of the movie yet. Let’s go for a simple answer and say they all have 1GB of the movie downloaded thus far.
This attack uses the same amount of traffic as 77 of those seeders, but it uses it EVERY SECOND, which they certainly do not.
Now, dividing 2424 by 77 gives us 31 seconds. This means that every 31 seconds, this attack uses more bandwidth than the TOTAL used by ALL of the seeders on the most popular HD Movie torrent on TPB.
Assuming this torrent lasted for 30 minutes – which would make it a very short DDoS attack by most standards – that means that this attack used the same amount of bandwidth as 138,600 seeders would on a typical HD movie torrent.
Now…didn’t the MPAA say that a “majority” of traffic on the internet was caused by piracy?
Given that this attack alone used more bandwidth than the sum total of the first 2 pages of HD Movies on TPB COMBINED, can we declare that statement from the MPAA totally bogus yet?
Source: Common sense and a basic calculator.
Re: Perspective
Well obviously DDOS attacks are just another kind of piracy, where you steal the right of someone to use their system without being under digital-war. So, our statement still stands, and if anything we underestimated the numbers.
-The MPAA
Re: Perspective - krebs was a test
http://hothardware.com/news/latest-iot-ddos-attack-dwarfs-krebs-takedown-at-nearly-1-terabyte-per-second
Re: Perspective
Wait a minute, this doesn’t make any sense…
…people want to watch the new Tarzan movie?
Could we have an attack this election?
It’s a sad thing to hope for, but given how disliked the candidates are and how close the polling is I don’t think we’d loose much from it. And as the researchers suggested this might be what it takes to push industry to fix the security holes throughout in the Internet’s wiring, applications, & “Things”.
Besides all I want out of this election is chaos, and that would bring it while showcasing an important issue.
Im_not_JB's argument
It wouldn’t be TechDirt if they didn’t pattern match, “This has something to do with cybersecurity,” and reflexively imagine that it supports their position in one part of tech law. Unfortunately, since they have no bloody clue how tech law works, they picked the wrong part. They think this has something to do with laws concerning gov’t access to communications. That’s absurd. Instead, it actually fits very well into a different portion of tech law – the Rule 41 update! Of course, the problem is that these developments go against TechDirt’s position on that issue, so they can’t bring themselves to make the connection.
Massive networks of bots (whether traditional computers or IoT devices) are very dangerous tools; TechDirt at least acknowledges this (though, it takes “their guy” getting his ox gored for them to realize it). In order to go after these people, law enforcement may have to take actions which manifest on devices in many different jurisdictions. This can effectively kill their progress, because it requires a ton of manpower to actually go to every single district in the country and file redundant paperwork and get everything coordinated/approved on some semblance of a schedule so that they can go, ya know, do police work. Part of the Rule 41 update is to fix this problem. Now, they still have to go get a judge’s approval, but they don’t have to get 50 judges approvals for the same thing at the same time. Instead, they can take all the info to one judge (in a jurisdiction where a crime has been committed by said criminals), and he can approve a warrant for the botnet. He still needs suitable probable cause, and the warrant still needs a particularity requirement (i.e., they can’t just go rooting around in your computer looking for evidence of unrelated crimes).
Next time, when you’re reading the latest breathless TechDirt outrage word salad on Rule 41, remember this breathless TechDirt outrage word salad. Here, they’re crying, “Something must be done!” Later, when they see that something reasonable is being done, they’ll obstinately ignore any actual facts in order to whine that the government is doing things!
Is there an IOT pet rock?
Who has the money
Seriously. Who has the money to buy smart appliances, and what kind of jobs are you working? How did you get out of student debt?
Most of the people I know can barely afford to have a five year out of date smart phone and a seven year out of date laptop as their primary computing platforms. Leftovers from when they were in college.
Re: Who has the money
The advantage of a 7 year out of date laptop is you don’t have to have Windows 10.
Re: Re: Who has the money
Or just buy a laptop without Windows.
“… we ponder electing two of the least technically sophisticated Presidential candidates in recent memory.”
Have ANY of our Presidential candidates since Herbert Hoover been technically sophisticated? Sure, we’ve had Dr. Ben Carson and Dr. Ron Paul, but they’ve never come close to getting elected, and their field of expertise is medicine, not computer science.