Cyber security update October 2016 part 2: Distributed denial of service (DDoS) developments

Last month Network World reported that a botnet of hijacked Internet of Things (IoT) devices had been used in the largest DDoS attack seen at the time, delivering 665Gbit/s against the Krebs on Security blog. Network World also later praised Akamai for sharing information about the attack. Forbes also provided commentary on the attack and the importance of improved IoT security, while Computing and BBC News later reported on a larger attack still: more than one terabit per second was delivered to web hosting company OVH, again via compromised IoT devices.

Also last month New research by Symantec demonstrated that cybercriminal networks are taking advantage of poor Internet of Things (IoT) device security to spread malware and help carry out distributed denial of service (DDoS) attacks: “Most IoT malware targets non-PC embedded devices such as web servers, routers, modems, network attached storage (NAS) devices, closed-circuit television (CCTV) systems, and industrial control systems. Many are Internet-accessible but, because of their operating system and processing power limitations, they may not include any advanced security features.”

Jisc’s Andrew Cormack has published this advice on Janet and the Internet of Things. There have been significant further developments this month:

• BBC News reported that the "Mirai" source code used in the attack on the Krebs on Security blog had been released online. US-CERT published an alert highlighting the increased risk of DDoS attacks as a result; also see the UK National Cyber Security Centre’s weekly threat alerts for 10th October and 24th October.
• In the wake of the attack on the Krebs on Security blog, Ars Technica reported the ease with which the average digital video recorder (DVR) can be hacked for use in such attacks. Computer Weekly, Network World, ZDnet and TechWeekEurope all reported on the growing threat posed by the security vulnerabilities of IoT devices. Network World also reported that, based on the increasing volume and complexity being observed, a massive DDoS attack could potentially disable portions, or even all, of the internet for some period of time. It also offered some analysis of the Mirai source code and reported on an increase in activity by new IoT botnets based on Mirai.
• On 21st October DDoS attacks struck DNS service provider Dyn, affecting access to sites and services including Twitter, Paypal, Spotify, Reddit and others. See coverage from Reuters, BBC News, Ars Technica, Network World, Krebs on Security (more here) and ZDnet (more here).The US Department of Homeland Security subsequently published a statement on the attack, as did Dyn (also see this update): the attacks were made in two waves, with an attempted third attack being successfully mitigated. One source of the traffic for the attacks were devices infected by the Mirai botnet.
• Subsequent analysis again focussed on how hacked IoT devices had been used in the attack: see coverage from the Guardian, BBC News, ZDnet, Computing, CCS Insight and Network World. Researchers investigating the attack linked it to a network of devices made by the Chinese company, XiongMai Technologies, again see Network World; BBC News reported that the company has issued a recall for its webcams in the US.
• Stanford cybersecurity expert Herb Lin suggested that such attacks pose a policy dilemma: while security weaknesses in the Internet of Things clearly need to be addressed, stricter security requirements could slow innovation, cost more and be difficult to enforce.
• Internet security research firm Flashpoint assessed “with a moderate degree of confidence that the perpetrators behind this attack are most likely not politically motivated, and most likely not nation-state actors…The technical and social indicators of this attack align more closely with attacks from the Hackforums community than the other type of actors that may be involved, such as higher-tier criminal actors, hacktivists, nation-states, and terrorist groups.”