September, October and November 2016 have been watersheds for the growing threat of large-scale distributed denial of service (DDoS) attacks, as increasingly prominent targets have fallen victim to weaponised smart devices.
These attacks have revealed a sobering truth: the capabilities of DDoS attacks are growing far faster than our abilities to mitigate them.
DDoS attacks, and servers being overloaded generally, are nothing new. The target web server is hit by an overwhelming amount of traffic, consuming the server’s resources and if successful, taking the site offline.
Prominent examples of targets include augmented reality game Pokemon Go, HSBC and the National Crime Agency.
However, new innovations in the DDoS arsenal are rapidly escalating the size of these attacks.
“No-one had ever imagined a 1 Tbps DDoS before,” says Mike Murray, VP of Security Research and Response at Lookout.
“It’s the nightmare scenario; you cannot protect against it.”
The ramping up of DDoS attacks can be traced through three attacks in September and October: the attack on KrebsOnSecurity in late September peaked at 620 Gbps, the attack on OVH a few days later reached 1 Tbps and the attack on Dyn is believed to have reached 1.2 Tbps. November saw more DDoS attacks using Mirai on a range of targets.
In the space of a few weeks, the all-time record for a DDoS attack was set and then almost doubled.
“Purely personal or consumer technology can be used, maliciously, at large scale with highly detrimental impacts,” said a report commissioned by outgoing US President Barack Obama and published at the beginning of December.
“Indeed, as the attacks in recent months make clear, IoT devices can be significant weak links in our global networks, easily weaponised to deliver destructive and destabilising attacks.”
The report goes on to argue that standards for security of IoT devices must be raised throughout the supply chain and that the public must become better educated about the issue.
The difference with this new strain of attacks is that they are powered by the malware Mirai, which Dyn confirmed as the source of the attack.
It is encoded with a list of a few default passwords, including obvious words and phrases such as ‘password’ or ‘password123’. It trawls the net, looking for passive internet-connected devices such as routers and camera and inputs these passwords into the devices to try and take them over, creating what is called a ‘botnet’.
“Why is the botnet code not more sophisticated? Because it didn’t need to be,” says Mike Murray of Lookout.
As Murray explains, Mirai did the job because it was all that was needed. But, he says, it doesn’t take much imagination to see where the next attacks will go.
What’s more, Corero Networks analysis recently observed a new, zero-day attack against its customers.
The technique uses Lightweight Directory Access Protocol (LDAP) to amplify DDoS attacks. According to Corero, if used in conjunction with Mirai this could produce a DDoS attack of 36 Tbps.
“We can now envisage an attack of tens of terabits per second if hackers were to utilise this new technique. But there is really no limit to the potential scale of future attacks,” said Dave Larson, CTO/COO at Corero Network Security.
Mike Murray has a different attack vector in mind.
“There are a billion Android phones on the market right now,” says Murray.
Murray is well-versed in the vulnerabilities of smartphones. He was part of the team that uncovered the Trident vulnerabilities in iOS.
In August, Citizen Lab and Lookout Security were alerted by Ahmed Mansoor, a member of Human Rights Watch’s advisory committee, who was sent two text messages containing hyperlinks and promising information about detainees in United Arab Emirates prisons. Mansoor forwarded the message to Citizen Lab’s Bill Marczak.
The firms found that the attack was using three critical iOS zero-day vulnerabilities, collectively termed Trident, that together form an attack chain that subverts Apple’s security environment.
Murray sketches out a similar infection scenario for an Android-powered botnet.
“What if I wrote the same botnet software [to Mirai] but instead wrote it to capture Android phones and spread via text messages?
“How hard would it be? It would be an afternoon project for a member of my team.”
A small fraction of the billion Android devices in the hands of consumers could create an immensely powerful botnet.
With that, says Murray, an attacker could “take out any part of the internet they want, including all the mobile carriers, because none of them can handle this much traffic.
“This is not a stretch; it’s not some Die Hard scenario. This is the thing that happened that I stretched to a phone.”
For now, Mirai and the IoT seem to be the imminent threat. World Wide Web creator Tim Berners-Lee encouraged listeners to the BBC Today Programme to be careful with their internet-connected devices, urging them to use passwords.
However, this is an incomplete fix. It only takes a fraction of consumers not to bother securing their devices for the botnet to work.
There are signs that device manufacturers are taking the issue seriously, however.
In what may be the first of many recalls, Chinese electronics firm Xiongmai recently issued a product recall after components it had manufactured helped to power the Dyn DDoS attack.
Xiongmai said that it would also strengthen password functions and send patches for products made before April last year.
The service providers and website holders will also need to be wary, and improve visibility over traffic on their servers.
However, it is possible that the biggest DDoS attacks are still to come.