Internet of Things Devices Used For Massive DDoS Attacks

Flickr-Lizard-Marc Dalmulder-CC Lic-large

Lizard Stresser, the “service” that came to fame on Christmas Day 2014 when it knocked Sony’s Playstation and Microsoft’s xBox web sites off line, has never gone away.  Now it has a new claim to fame.

The claimed purpose of the software was to allow web site owners to stress test their web sites under load, but suffice it to say, people found “other uses” for it – like taking Sony and Microsoft down on Christmas.

Some of the people who ran the original Lizard Stresser were arrested, but they had already open sourced the software, allowing for lots of copycats.

According to the security company Arbor Networks, which has been watching Lizard Stresser, there are now about 125 separate groups hosting a Lizard Stresser command and control server.  My guess is that 124 or more of them are run by hackers.

Which brings us to today.

Some of these “hosts” have discovered that the Internet of Things is a great place to run the Lizard Stresser client – the part that loads down your web site, if it wants to or if someone pays them to.

The code for the client is very simple and has been compiled for a variety of computers such as ARM, MIPS and X86 – in other words, your home computer or your baby monitor.

Or most any other Internet of Things device including your phone or tablet – where you pay for the bandwidth that you use.

Why use IoT devices?  It is pretty simple.

An IoT device is a general purpose computer – really no different than your phone, laptop or tablet – usually running some variant of Linux – hence a well known operating system and has access to all of your bandwidth.  The operating is completely stripped down to run on the small processor with little memory and probably no disk, so it has no security features. And, likely, no one is looking at it.

Who installs anti-malware software on their baby monitor (NOTE:  Replace baby monitor with ANY IoT device)?  Who regularly logs in to (as opposed to just looking at your baby) their baby monitor to see what processes are running?  Who manages the bandwidth being used by that baby monitor?  Who locks it down to talking to two IP addresses (like your phone and your partner’s phone)?

If the attacker is careful, they can keep the CPU utilization below a threshold that would stop the IoT device from working and not completely clog up your entire bandwidth – hence likely run completely undetected for a very long time.

Likely it is attacking something on the other side of the world.  When it is the middle of the night where the IoT device is, it is the middle of the day where the site that you want to take down is. And vice versa.  Middle of the night equals no one may care if the IoT device is sluggish.

Right now the version of Stresser that Arbor is looking at tries default userids (like ROOT, ADMIN, USER, LOGIN and GUEST) and default passwords (like ROOT, ADMIN, 1234, 123456 and PASSWORD).

These userids and passwords are compiled into the program, so if you want to change that list, get out an editor, change it and recompile.  This is no problem for anyone other than the most basic hacker kid in his or her parent’s basement.

Right now the code that Arbor is looking at uses just a handful of attack methods and they have seen attacks that generate close to 400 gigabits of traffic per second.  But they do dynamically switch from method to method quickly.

Depending on the pricing model of the attackers – or if they are using it themselves to extort money  – it could run for hours or days, taking your website offline for that long.

What is the impact of your web site being down for a day or a couple of days?  The impact on Sony and Microsoft was pretty large.  What about your web site?

The scary part is that Stresser CURRENTLY does not use any amplification attacks (see here for definition of amplification attack).  Amplification attacks are really scary because they might use 1 megabit of a IoT device’s bandwidth and create 100 megabits of traffic for the site that they are attacking.

So if you think that 400 gigabits of attack would take down any web site other than the very largest ones, what happens if Stresser is modified and it can now generate 4,000 gigabits or 4 terabits – what does that mean for your web site?  What if it can generate 40 terabits and the traffic is coming from all over the Internet?

You get the idea.

Until the Internet of Things vendors decide that they need to spend money fixing their security – which likely will require bad publicity or large legal judgments or bo th, they have no incentive to fix it.

And this is merely the tip of the iceberg.  Give the hackers a couple of years.  They are just getting started.  And THAT is really scary.



Image of lizard used under Creative Commons license  from Flickr by Marc Dalmulder.

Information for this post came from Arbor Networks.

Leave a Reply

Your email address will not be published.