I was tempted to post this article late in October, when Brian Krebs suffered with the DDoS attack on his website, or when the Mirai botnet attack on DynDNS was in full swing, but decided to wait it out until after the election, in case it turns out that the Dyn attack was a precursor to an attack to disrupt the elections. And as of today, it appears that it was not.
Up to this point, botnets required a collection of hundreds or thousands of infected computers under a command and control server run by the cyber attackers. What is different about Mirai, and its close cousin Bashlight, is that they are IoT botnets. That is, they work by infecting devices considered part of the Internet of Things, such as, cameras, routers, DSl and cable modems, wireless access points, DVRs and smart TVs, and other small Internet connected devices. These devices are usually running some version of the Linux operating system. Many of these devices are designed with little or no built-in security, and come with default user credentials. “Admin” and “password” are common, and lists of default passwords can be found on the Internet. People who buy these devices often leave the defaults in place, which makes it trivial for an IoT bot-herder to take over these devices.
Rounding up vulnerable IoT devices for these botnets is an automated process, where once a machine is infected, it scans the Internet looking for other devices that are also vulnerable. The attacking machine often tries the known default user and password for the attacked device, and gets right in without issue.
These botnets contain not hundreds or thousands, but hundreds of thousands of devices, and are capable of delivering an attack bandwidth of 300-600 GB of traffic. These are the largest attacks seen so far. A typical home or business Internet connection, by comparison, is 20-50 MB, or 12,000 times smaller. For example, if a six-lane highway is detoured to a two-lane road, traffic flow stops. If someone throws 600 GB of traffic at a server or network designed for 100 MB or 1 GB of throughput, you get the same result, the traffic congestion basically prevents use of the resource.
So what has happened so far?
- Noted cybersecurity security writer and researcher Brian Krebs had his website taken offline by a DDoS attack using Bashlight.
- DynDNS had first it’s east coast hub and then it’s west coast hub taken down by Mirai.
- This caused access problems for Twitter, PayPal, Netflix, Amazon, and a host of other customers of DynDNS.
- Hangzhou Xiongmai, a Chinese electronics firm that makes the cameras that were hijacked for this attack, issued the recall.
What can we do about this new threat?
- First, the companies who are building these devices need to take responsibility for building in a better security stack at the start. The engineers and programmers who design these devices always seem to be the last ones to get serious about security. This MUST change!
- For the owners of these tech toys (YOU!), if there is a software or firmware update for your device, install it now. These often contain belated security improvements left out by the manufacturer in the rush to market. (See bullet point above.)
- When deploying new IoT devices, look online for updates and patches to install before taking them live.
- Change the manufacturer defaults for both user name and password to something difficult to guess or brute-force.
- Disable remote management and remote access features if you don’t need them or use them.
- If remote access is necessary, then be sure to create a really tough-to-guess user name and password for the remote administrative account. You can put these credentials on a small label on the device or write it into the manual (that you save, right?), without compromising security except in the case of physical access.
- Learn how to use free network scanner such as nMap to look for unusual open ports and outbound connections.
If you are running a web site that is affected by an attack like these, here are a few tips for you, courtesy of WordFence Security.
- You may want to use different companies as your Primary and Secondary DNS servers to keep an attack like the one on DynDNS from making your site unavailable.
- Increase the Time-to-Live (TTL) duration from your DNS records. This means that when your DNS records a cached elsewhere, they will remain useful in the event of a DDoS on your name server provider. As long as a week, may be a good idea.
- Make sure you have current backups, in case you need to create a duplicate site in a hurry.
- Understand that fonts, stylesheets, and jQuery calls from your site to servers that are remote to your web server could be blocked under these circumstances.
- Ditto for features that involve social media integration. If Twitter or Facebook are down, these features will be broken on your site, too.
- Connections to your e-commerce credit card processor may be down, too.
Billions of these IoT devices will be connected to the Internet before the decade is out. I am not sure why every new technical advance comes with the same old security issues. Hey! Builders, creators, inventors – wake up! If you build it the bad guys will come too. Someone wants to hack your dream before you even have it. Let’s try to keep it from being so easy.
- Krebs on Security Hit with DDoS
- Krebs – Source Code For Mirai Released
- Naked Security – What Can We Do To Prevent Next Attack?
- WordFence article for webmasters.
- Tech Republic 5 Takeaways
- SiliconBeat Web Cams Recalled