How was the Internet of Things able to take down the Internet with a DDoS?

DDoS from IoT Devices On October 21st, a large number of websites, including some of the biggest names, were knocked off the Internet by a massive distributed denial-of-service (DDoS) attack. A DDoS attack occurs when thousands to millions of devices send traffic to a target, completely overloading its servers or Internet connection.

The recent attack targeted a company called DYN, a DNS service provider for thousands of companies. DNS translates the name of an Internet host like and converts it to an IP address like Your computer then uses this to do the actual communicating. By disrupting DYN, the attackers prevented this translation from happing for the companies DYN supports, making them unreachable for many users.

To cause this disruption, the attackers sent a staggering 1.2 Tbps (trillion bits per second) of data. Typical home Internet might max out at 15 Mbps (million bits per second). Therefore, this would be equivalent to 80,000 home connections simultaneously sending everything they could to this one company. In fact, this attack utilized many more devices, sending only a smaller amount of data each to add up to that gigantic total.

Interestingly, the attack did not use compromised personal computers (typically the most common method), but rather compromised Internet of Things (IoT) devices. IoT devices include surveillance cameras, smart TVs, home routers, and smart thermostats. Most of these are designed with very weak security and often have built-in, hard to change default passwords. A malware tool called  Marai, recently released to the public as source code, was the technology behind exploiting these vulnerable devices. Anyone could have used Marai to create an enormous swarm of compromised devices, which could be launched against any target they pleased.

Unfortunately, there is very little incentive for the makers of IoT devices to create them using real security. So far, they have not been held responsible for damages, and neither they nor their users typically experience any direct harm from the attacks. ISPs also have some ability to detect and block attacking traffic and vulnerable devices, but only at significant cost and annoyance to their legitimate customers.

Because these devices have a relatively long shelf life, it may take years after the makers are finally forced, in one way or another, to secure the devices before we see any real benefits from the change.

[Updated 10/27 to improve clarity]

The Privacy Blog Podcast - Ep. 22

Standard Profile PictureWelcome to episode 22 of the Privacy Blog Podcast for July, 2014.In this episode I will talk about:

  • A recent revealed compromise of the Tor anonymity system
  • Why Canvas Fingerprinting both is and is not a big deal
  • The coming conflict between US searches and EU privacy
  • How even genealogy information can compromise your identity
  • An update on Chinese censorship
  • Why the security model of the web is hopelessly broken
  • Russia’s continuing crackdown on the Internet
  • and finally how Lightbulbs, among other things, can
  • compromise your network

You might be hacked through your lightbulbs

Broken smoking lightbulb

A vulnerability in LIFX WiFi enabled light bulbs allowed researchers at Context Information Security to control the lights and access information about the local network setup.

The whole “Internet of Things” trend is introducing all kinds of new vulnerabilities. Because these devices tend to be cheap, don’t feel like tech, and don’t expose much user interface, users are unlikely to secure, patch, or otherwise maintain them.

As these devices proliferate in our networks, we will be introducing ever more largely invisible vulnerabilities, usually without any thought to the consequences.

Security weakness found in WiFi enabled LED light bulb

Lance Cottrell is the Founder and Chief Scientist of Anonymizer. Follow me on Facebook, Twitter, and Google+.