Recently, Brian Krebs (KrebsOnSecurity.com) was hit with a massive denial of service attack. The site went down – hard – and was down for days. His Internet Service Provider kicked him off, permanently. The attack threw over 600 gigabits per second of traffic at the site. There are very few web sites that could withstand such an attack.
The week after that, there was another denial of service attack – this time against French web hosting provider OVH – that was over 1 terabit per second. Apparently, OVH was able to deal with it, but these two attacks should be a warning to everyone.
These attacks were both executed using the Mirai botnet. Mirai used hundreds of thousands to millions of Internet of Things devices to launch this attack. The originator released the source code to this attack because, he says, that he wants to get out of the business.
While Mirai used to control around 380,000 devices every day, some ISPs have started to take action and the number is now down to about 300,000 a day.
There are a couple of reasons why the Internet of Things presents a new problem.
The first problem is patching. When was the last time that you patched your refrigerator? Or TV? I thought so! After 10 years of berating users, desktops and laptops are being patched regularly. Phones are being patched less regularly. Internet of Things devices are patched almost never.
The second problem is numbers. Depending who you believe, there will be billions of new IoT devices brought online over the next few years. These range from light bulbs to baby monitors to refrigerators. The manufacturers are in such a hurry to get products to market and since there is almost no liability for crappy security, the manufacturers are not motivated to worry about security.
Brian Krebs, in a recent post, examined the Mirai malware and identified 68 usernames and passwords hardcoded into this “first generation” IoT malware. For about 30 of them, he has tied the credentials to specific manufacturers.
This means that with a handful of hardcoded userids and passwords, Mirai was able to control at least hundreds of thousands of IoT devices.
How many IoT devices could a second- or third- generation version of that malware control?
The third problem is the magnitude of these attacks. While DDoS attack prevention services like Cloudflare and Akamai have been able to handle attacks in the 500 gigabit per second range, if the growth of DDoS attacks continues and we are talking about multi-terabit attacks, how much bandwidth will these providers need to purchase to keep up with the DDoS arms race. While the cost of bandwidth is coming down, the size of attacks may be going up faster.
Lastly, ISPs – the Internet providers that enable the Internet connection to your home or office are not stepping up to the plate quickly enough to stomp out these attacks.
The ISPs may become more motivated as soon as these rogue IoT devices that are sending out DDoS traffic force the ISPs to buy more bandwidth to keep their customers happy.
Of course, like Brian Krebs, if your company winds up being the target of one of these attacks, your ISP is likely to drop you like a hot potato. And equally likely, they will not let you back on after the attack is over.
If being able to be connected to the Internet is important to your business – and it is for most companies – you should have a disaster plan.
The good news is that if your servers are running out of a data center, that data center probably has a number of Internet Service Providers available and you should be able to buy services from a different provider in the same data center within a few days to a week. Of course, your servers will be dark – down – offline – in the mean time. Think about what that means to your business.
For your office, things are a lot more dicey. Many office buildings only have a single service provider – often the local phone company. Some also have cable TV providers in the building and some of those offer Internet services, but my experience says that switching to a new Internet provider in your office could take several weeks and that may be optimistic.
Having a good, tested, disaster recovery plan in place sounds like a really good idea just about now.
Information for this post came from PC World.
The Brian Krebs post can be heard here.