The Privacy BlogPrivacy, Security, Cryptography, and Anonymity

Oct/16

24

How was the Internet of Things able to take down the Internet with a DDoS?

DDoS from IoT Devices

On October 21st, a large number of websites, including some of the biggest names, were knocked off the Internet by a massive distributed denial-of-service (DDoS) attack. A DDoS attack occurs when thousands to millions of devices send traffic to a target, completely overloading its servers or Internet connection.

The recent attack targeted a company called DYN, a DNS service provider for thousands of companies. DNS translates the name of an Internet host like theprivacyblog.com and converts it to an IP address like 52.204.10.149. Your computer then uses this to do the actual communicating. By disrupting DYN, the attackers prevented this translation from happing for the companies DYN supports, making them unreachable for many users.

To cause this disruption, the attackers sent a staggering 1.2 Tbps (trillion bits per second) of data. Typical home Internet might max out at 15 Mbps (million bits per second). Therefore, this would be equivalent to 80,000 home connections simultaneously sending everything they could to this one company. In fact, this attack utilized many more devices, sending only a smaller amount of data each to add up to that gigantic total.

Interestingly, the attack did not use compromised personal computers (typically the most common method), but rather compromised Internet of Things (IoT) devices. IoT devices include surveillance cameras, smart TVs, home routers, and smart thermostats. Most of these are designed with very weak security and often have built-in, hard to change default passwords. A malware tool called  Marai, recently released to the public as source code, was the technology behind exploiting these vulnerable devices. Anyone could have used Marai to create an enormous swarm of compromised devices, which could be launched against any target they pleased.

Unfortunately, there is very little incentive for the makers of IoT devices to create them using real security. So far, they have not been held responsible for damages, and neither they nor their users typically experience any direct harm from the attacks. ISPs also have some ability to detect and block attacking traffic and vulnerable devices, but only at significant cost and annoyance to their legitimate customers.

Because these devices have a relatively long shelf life, it may take years after the makers are finally forced, in one way or another, to secure the devices before we see any real benefits from the change.

[Updated 10/27 to improve clarity]

· · ·

2 comments

  • Jeff · November 15, 2016 at 6:07 am

    For a number of years in the past, but not at present, a paying subscriber to Anonymizer, I am using this path of communication, since I cannot communicate with Anonymizer without having a subscription.

    Online reviews of VPN services, for example the current one (dated Nov. 9) in PC Magazine, do not seem to mention Anonymizer. Why? It seems to have been around forever, I was happy enough with it, and may subscribe again.

    http://www.pcmag.com/article2/0,2817,2403388,00.asp#disqus_thread

    The PC Magazine article compares 10 services without even mentioning Anonymizer.

    Another website, https://www.10bestvpns.com/, features a pop-up “VPN Expert” on chat. I chatted with two different “experts” last night and this morning. Each claimed never to have used, seen reviews of, or even heard of Amonymizer. A likely story. I think they’re just flogging any VPN service that pays them.

    But, what’s the story?

    Reply

  • Jay Averitt · October 23, 2017 at 6:39 am

    It is amazing that this was taken care of by using compromised IoT devices. As I flipped through my Williams-Sonoma catalog the other day, I found grills, toaster ovens, and other things where I was completely unclear how IoT would provide a benefit. It certainly seems like the risks would outweigh the marginal benefit on many of these devices.

    Reply

Leave a Reply

<<

>>