A botnet of hijacked devices on the Internet of Things has overwhelmed one of the world’s premier providers of Distributed Denial of Service protection. The target of the attack was a popular blog managed by former Washington Post staffer Brian Krebs. His site, Krebs on Security, was under the protection of Akamai Technologies, a global leader in Content Delivery Network services.
But the massive scale of the attack, delivered by an army of up to one million compromised devices, forced Akamai to cancel Kreb’s protection. Even though Akamai was able to mitigate the onslaught, and did so for several days, the relentless nature of the attack was consuming too many of Akamai’s resources and proving too costly to defend against.
The attack was twice the size of anything Akamai had experience before, with an unprecedented number of devices – anything from cameras to thermostats, fridges and light bulbs – delivering roughly 665Gbps of disruptive traffic to the company’s network. As yet, no one is certain who instigated the offensive, or how they managed to infect so many devices, but it is believed they may have exploited a 12-year-old vulnerability in OpenSSH to funnel malicious traffic through the IoT devices.
Andy Ellis, Akamai’s chief security officer, said it will take time to analyse the assault and develop a more effective response. Ellis noted that so many devices were employed that it meant the perpetrator didn’t even need to use common methods to magnify the impact of the attack, such as reflection or amplification strategies. Instead, the traffic consisted entirely of legitimate HTTP requests.
The Internet of Things is forecast to host 21 billion devices by 2020, and the vast majority of IoT devices are relatively unprotected against hackers and cybercriminals. This means the potential scale of future botnet attacks is staggering. For example, researchers have demonstrated that malware can be wirelessly and surreptitiously uploaded to a Fitbit within 10 seconds. Imagine how easily a dedicated attacker could build a devastating Fitbit botnet.
To mitigate such attacks in the future, every enterprise will need to dramatically improve their network protection systems to cope with ultra high volume DDoS assaults.