One of the biggest distributed denial-of-service (DDoS) attacks ever was directed at independent security journalist Brian Krebs on Tuesday (Sept. 20), and lasted for three days, leading his service provider to take his website offline. More ominously, the attack could have been originated from a “botnet”—a network of devices controlled by a hacker—comprised of unsecured, internet-connected, cameras.
In a DDoS attack, huge amounts of traffic are directed at a particular online service, like a website. The flood of traffic renders the website unable to cope, much like a crowd of people trying to cram through a single doorway.
The scale of such attacks is measured by the amount of traffic directed at a service per second, and the largest known DDoS attacks to date have been in the 300 to 400 gigabits per second range. The traffic trained at Krebs’s site was at least 600 Gbps—researchers at Akamai, where Krebs hosted his site, are still trying to quantify it.
Akamai’s chief security officer, Andy Ellis, says the attack on Krebs is at least twice as large as anything he’s encountered before. For Ellis, the attack represents a significant scaling up of DDoS attacks and the size of the botnets harnessed to deliver them. ”We expect this will be the new normal over the next 18 months,” Ellis says. “If I were doing business planning about what I’m trying to defend myself from … People will need to reevaluate their assumptions going forward.”
The type of traffic being generated by the botnet is also different, according to Ellis. Instead of a “reflection attack,” where a small amount of traffic is amplified by other servers, the traffic that flooded Krebs’ site was direct traffic, Ellis says. This suggests a larger botnet has been harnessed. The previous record-holder for a DDoS attack at Akamai was largely reflected traffic, he says, which was easier to defend against. “We will probably see more IoT devices with larger botnets and with tight command-and-control, with blends of shaped and reflected traffic,” he says.
Ellis can’t say definitively that it was a network of hijacked cameras that generated the torrent of traffic, because his team is still analyzing the attack, he said, but it’s one of his main theories. An attack that harnessed online cameras would likely have tapped networks installed by individuals or small businesses, he said. “It’s probably not a really big office building with a network of cameras, but something like if someone went to Best Buy and bought a DVR and installed it in maybe a small office,” he says.
If a botnet is indeed running off hundreds of thousands of connected cameras, it would highlight a major flaw in the internet of things, which experts have warned of for years. The software these devices run on is usually not easily upgraded, meaning that security loopholes can remain open for years.
“We’re pretty sure IoT is not a passing fad and many devices are unmaintainable,” Ellis says. “You can certainly update the firmware manually, but it’s not realistic for most consumers.”
As the Internet of Things expands, services tapping into online devices have sprouted. Take Shodan, a search-engine for internet connected devices, which allows users to watch unsecured webcams. These services make it easier for attackers to research botnet targets, Ellis says.