HideLast Call: Our Black Friday weekend sale ends tonight! Shop now to save on all Techdirt gear »
HideLast Call: Our Black Friday weekend sale ends tonight! Shop now to save on all Techdirt gear »

The Internet Of Poorly Secured Things Is Fueling Unprecedented, Massive New DDoS Attacks

from the build-it-poorly-and-they-will-come dept

Last week, an absolutely mammoth distributed denial of service (DDoS) attack brought down the website of security researcher Brian Krebs. His website, hosted by Akamai pro bono, was pulled offline after it was inundated with 620Gbps of malicious traffic, nearly double the size of the biggest attack Akamai (which tracks such things via their quarterly state of the internet report) has ever recorded. Krebs was ultimately able to get his website back online after Google stepped in to provide DDoS mitigation through its Project Shield service.

According to Krebs, the attack came, he believes, after he began digging more deeply into various gangs that deliver DDoS attacks on-demand. And according to Krebs, this time they had the help of the hystercially piss poor security of the internet of things (IoT) industry:
"There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords."
So not only are "smart" refrigerators, TVs, tea kettles and power outlets leaking your unencrypted data to any nitwit with a modicum of technical knowledge, they're being utilized to amplify existing attacks on security researchers who are actually trying to make things better. The attack comes directly on the heels of Bruce Schneier warning us the check is about to come due -- after IoT companies and evangelists that prioritized hype and sales over security fundamentals helped introduce millions of new network attack vectors into the wild over the last five years or so.

In a recent blog post, Schneier also noted that these larger DDoS attacks come as multiple groups and individuals (likely nation state sponsored hackers) have begun probing for vulnerabilities on an unprecedented scale:
"Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure."
And they're finding, as many have warned, millions of poorly secured Internet of Things "smart" devices with stupid default passwords -- or in many instances no security at all. In most instances the buyers of these products are utterly clueless of their participation in these botnets, and very frequently these devices don't give the end user transparent end control over what's being sent over the network anyway.

In a follow-up blog post by Krebs, he makes it clear that in addition to being immensely dangerous (potentially fatal if the right systems are targeted), these larger scale DDoS attacks propped up by the IoT should also be seen as a growing assault on free speech. After all, few independent journalists would be able to afford the kind of DDoS mitigation technologies necessary to truly stop these new, larger attacks:
"In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.
For a country that likes to talk a lot about cybersecurity (mostly to justify awful government policy like backdoors that make us less secure than ever), the United States isn't doing all that much to mitigate the looming threat. Much like Schneier, Krebs calls for a more coordinated effort by industry and government to wake up and begin greater institutional-grade collaborative efforts to shore up our collective security before things spiral out of control:
"I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections."
And it probably goes without saying that this threat looms as we ponder electing two of the least technically sophisticated Presidential candidates in recent memory. These are two researchers who aren't prone to hyperbole, so it seems like we might just want to take their advice before the Internet of Things devolves from a running gag into a potentially fatal shitshow.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: brian krebs, ddos, iot, security
Companies: akamai

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    Roger Strong (profile), 27 Sep 2016 @ 12:07pm

    Re: surpise on how often simple things are open

    "To anyone who is still stubborn enough to insist that BlackICE Defender is actually good for something: PLEASE do not write to me. I don't want to hear it. I'm a scientist who will not find your mystic beliefs to be compelling. I respect your right to your own opinions, no matter how blatantly they fly in the face of logic and reality. That is, after all, the nature of faith. Happy computing. I suggest prayer."
    - Steve Gibson

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.