The Internet of Things (IoT) has undoubtedly been great news for users — adding connected smarts to everyday “dumb” products, ranging from thermostats to refrigerators to doorbells, to make them more useful than ever. Unfortunately, it has also been great news for cybercriminals. IoT devices have been a boon when it comes to enabling bad actors to carry out distributed denial of service (DDoS) botnet attacks of unprecedented size and ferocity.
Victims and targets without proper DDoS mitigation measures in place can suffer damage to customer loyalty and significant financial losses through the unwanted downtime of DDoS attacks.
Methodology of a DDoS attack
A DDoS attack is a cyberattack in which the attacker maliciously attempts to take down a website or online service by temporarily or indefinitely overloading it with traffic. Unfortunately, while extra traffic is normally a good thing, in the case of a DDoS botnet attack it does not come from legitimate human users, but rather from multiple computer systems that have been infected with malware which allows them to be remote-controlled by the person orchestrating the attack.
By sending enormous numbers of requests at once, a DDoS attack functions like a road traffic diversion that directs large numbers of vehicles down a road that’s not equipped to deal with it. Eventually everything just grinds to a halt. In probably the biggest DDoS attack to have taken place to date, code repository GitHub was targeted in February 2018 by an all-out assault that, at its peak, had 1.3 terabytes of traffic sending 126.9 million packets of data every single second.
IoT devices have greatly added to the problem of potential DDoS botnet attacks by adding to the number of devices that can potentially be accessed and used in an attack — most often without their rightful owners even being aware of it. The size of the market for IoT devices has exploded in recent years in the commercial, industrial, infrastructure, military and a number of other sectors. It’s getting bigger all the time, too. The quantity of connected IoT devices worldwide in 2021 is predicted to reach 35 billion. By 2030, this figure could jump to 125 billion — meaning that every customer of IoT devices will own around 15 connected devices.
The problem of poor IoT security
The problem with IoT devices is that they can frequently have poor security, thereby making them ideal tools for DDoS botnets. Many IoT devices have inadequate password protection, frequently running on factory settings. They also have firmware that is easy to exploit, and no shortage of holes in their security systems when it comes to authentication and data transfer. Earlier in 2020, a hacker group (thought to be a provider of DDoS-for-hire attacks) published a list of credentials for upward of 515,000 servers, home routers, and IoT devices online. This list was made available on a popular hacking forum, and contained each device’s IP address, along with its username and password for the remote access protocol Telnet service, allowing devices to be controlled over the internet.
Public awareness about the role IoT devices can play in devastating botnet attacks was raised in 2016 with the Mirai botnet. The Mirai malware turned networked devices running Linux into remote-controlled bots. It was largely made up of IoT smart devices like security cameras and routers. Mirai identified vulnerable devices by using a list of around 60 commonly used factory default usernames and passwords. It then remotely accessed them and infected them with malware. Owners of the devices in question were unlikely to notice anything aside from the occasional sluggishness of the device and increased bandwidth use.
However, when attacks were coordinated to bring together large numbers of these devices in botnet attacks the impacts could be enormous — and incredibly far-reaching. The Mirai malware was used in several notable DDoS attacks, helping to temporarily knock offline some of the internet’s biggest and most high-profile websites on the internet, including Twitter, Airbnb, Netflix, and the PlayStation Network.
Problem getting worse, solutions are at hand
The problem is only getting worse, not better. Although some governments around the world are starting to explore legislation that will, for instance, punish IoT device manufacturers that use insufficient passwords, it is clear that there are still gaping vulnerabilities that need to be addressed. The rollout of 5G connectivity will mean more IoT devices than ever, courtesy of increased bandwidth and reduced latency. The lowering of costs for hiring a DDoS attack (which can be done for just a few dollars) also means that attacks are becoming more commonplace, while attackers find new ways of amplifying attacks to ensure that they are more damaging than ever.
Poor IoT device security hurts everyone — and has the potential to harm individual users (whose compromised devices may leak additional personal data) through to companies, governments, universities, hospitals and any number of other entities which can and have been targeted by DDoS attacks. Web Application (WAF) and DDoS protection are necessary to address this growing threat. Fortunately, there are companies that specialize in tools that can identify such attacks and mitigate them; making sure that IoT devices (and other computers) remain under your control, while also protecting you against incoming DDoS attacks.
The fight back against cyberattacks is just beginning. Luckily there are some very good people fighting on the side of security.