An IoT "Cannon" To "Bring Down The Web" Can Be Yours For Only $7,500

Tyler Durden's picture

While an odd back and forth has emerged between Xiongmai, the Chinese video surveillance manufacturer whose "smart" video camera equipment was blamed by numerous sources blame for driving massive Internet attacks last Friday, accusations which the Chinese company first admitted by then denied, far bigger mass attacks may be in store. As Forbes first reported, hackers are now selling access to a huge army of hacked Internet of Things (IoT) devices designed to launch attacks capable of severely disrupting web connections. The finding was revealed just days after compromised cameras and other IoT machines were used in an attack that took down Twitter, Amazon Web Services, Netflix, Spotify and other major web companies.

In the report, RSA is said to have discovered several weeks ago that hackers were advertising access to a huge IoT botnet on an underground criminal forum, though the company declined to say which one. (F-Secure chief research officer Mikko Hypponen said on Twitter after publication that it was the Tor-based Alpha Bay market).

This is the first time we’ve seen an IoT botnet up for rent or sale, especially one boasting that amount of firepower. It’s definitely a worrying trend seeing the DDoS capabilities grow,” said Daniel Cohen, head of RSA’s FraudAction business unit.

And speaking of firepower, all those unprotected smart devices sure add up: the seller claims they can generate 1 terabit per second of traffic. That would almost equal the world record DDoS attack, which hit French hosting provider OVH earlier this month at just over 1 terabit.

So how much will it cost an angry luddite hell bent on taking down the internet, if only for a short time? Not much: for $4,600, anyone could buy 50,000 bots (hacked computers under the control of hackers), whilst 100,000 cost $7,500. Together, those bots can combine resources to overwhelm targets with data, in what’s known as a distributed denial of service (DDoS) attack.

While RSA's Cohen said he didn’t know if the botnet for hire was related to Mirai, the epic network of weaponized IoT computers used to swamp DYN – a domain name system (DNS) provider and the chief target of Friday’s attack – with traffic, Forbes said it was able to find a forum post on Alpha Bay from the seller, who went by the name loldongs, which noted they had created a Mirai-based botnet. The original post was on 4 October, just a few days after the Mirai source code was made available to everyone. In a later post, in response to another user’s request, loldongs claimed: “I can take down OVH easily.”

RSA uncovered a botnet for hire, made up of IoT devices like connected cameras and fridges.

It could generate an astonishing amount of power, the company warned.

This is the seller’s post on the Tor-based Alpha Bay market, in which they claim to have
used the Mirai source code to create a botnet.

While hackers have long sold access to botnets, this may be the first occasion they have explicitly advertised their use of IoT devices like connected cameras, fridges and kettles. The infamous LizardSquad amassed sizeable botnets for its LizardStresser “booter” – a DDoS weapon for hire – but it largely compromised vulnerable routers.

That said, before angry customers splurge for the opportunity of taking down their most hated website, or DNS network, keep in mind last week's attack may not be repeated soon. According to Forbes, Twitter, Amazon Web Services, PayPal and others could’ve been better prepared too with something very simple: a secondary, back-up DNS provider.

“Companies using third party DNS providers ultimately may not want to put all their eggs in one basket. We’ve already seen PayPal, a Dyn customer, add DNS services for another provider in addition to Dyn,” noted security architect Kevin Beaumont for a global manufacturing company. “This will help mitigate problems for them in the future. It also works both ways and isn’t a slam of Dyn – for example, companies could use Dyn as an addition DNS provider.”

Another remedy might have also eased the pain for general web users.

When someone enters a web address, the DNS doesn’t always go through the same lookup process, routing right up to what’s known as the “authoritative” DNS server. Instead, the system can quickly retrieve a previously-stored (or cached) response from a nearby server, making the whole process that much quicker. The period during which those responses are cached is known as the “Time to Live” or TTL. The shorter the TTL the quicker everything goes up in smoke if the authoritative DNS server is wiped offline, noted a security researcher who goes by the name MalwareTech. So Twitter et al should look to make their respective TTLs that much longer, they said.


“A combination of short TTL and no redundancy is what led to the issues on Friday,” they added. “If [an affected site] had a TTL of, say, a day, as long as the DDoS attack is shorter than a day, most users would never notice anything.” According to CloudFlare security pro Filippo Valsorda, there’s an even better solution: rather than lengthening the TTL, just ensure there’s a permanent backup resource of records should anything go wrong. “You don’t need to get DNS results directly from the source. Results are the same for everyone, and can be valid for a while,” he told FORBES. “Here’s the point: if the global DNS system just kept replying with old results when the authoritative source – like Dyn – is offline, attacks on DNS providers would cause much much less disruption… There is no good reason resolvers should remove the results from the cache when the TTL expires, if they can’t reach the source to update it.”

With last week's hack in the history books, it is likely that internet service providers will take remedial measures to address similar cyberattacks. However, as millions of largely unprotected IoT devices emerge, it is only a matter of time before hackers find another exploitable loophole courtesy of a similar "oversight" to that by Xiongmai, especially if the price of admission is relatively low. We can hope that the next time such an attack does happens, it will likewise target largely irrelevant source of productivity-draining "social engagement", because should an unknown hacker go after something more critical, like NPPs or defense infrastructure, then a retaliation against the scapegoat du jour, which these days is generically Vladimir Putin, will have far greater consequences than Twitter being inaccessible for a few hours.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Seasmoke's picture

I will take 3. Just to be sure.

Looney's picture

Slightly OT…

There was an interesting article in The National Interest last week:

…consider comments by Doug Loverro, the deputy assistant secretary of defense for space policy, “The US is more invested in space assets than are its potential enemies, so it has more to lose from a shooting war in orbit.” Indeed, he reminded everyone,” If we lost GPS worldwide, most of our warfighters—in fact, all of our warfighters—would lose the ability to navigate and tell time and drop the precision munitions and do everything we do with GPS. If we lose GPS tomorrow, none of our warfighters can fight…

Just a refresher… One year ago, the LATimes reported that “after almost two decades, the Naval Academy in Annapolis had reinstated a brief course in celestial navigation”, which means that 20 years’ worth of officers have no clue how to navigate without GPS.

Mastering celestial navigation takes years, not a brief freaking course! And what do you do with all those officers who graduated 20, 15, 10 years ago – today’s majors, colonels, generals, and admirals who can’t find their laxatives without GPS?

Oh, well… I guess we can always paint sextants and astrolabes on all aircraft carriers, warplanes, and tanks and just keep pokin’ them damn Rooskies?   ;-)


Budnacho's picture

Back to the days of aiming artillery in the general direction and letting loose....

KnuckleDragger-X's picture

All the dumb people holding smart phones will immediately go into a blind panic.  That alone makes it all worthwhile......

knukles's picture

"blind panic"  Oh the irony!

Manthong's picture

If you want, I’ll do it for free,  for fun … for shits and giggles as long as the target is deserving.

Ghost of PartysOver's picture

Google and FaceBook for starters maybe?

NoDebt's picture

No offense, but the internet ruined everything.  I won't miss it much when it's gone (except for ZH and all the free porn- I'll miss that).  And we'll all have jobs again.

KnuckleDragger-X's picture

Tsk ND, all this internet panic is giving me more  consulting work than I can handle, especially among the corps. that out-sourced to foreign countries......

A Nanny Moose's picture

Likewise. Infosec is the current boom.

GreatUncle's picture

Jobs are gone my son ... technology does not go in reverse so barring a fall into WW3 it is minimum wage and EBT cards all round. But then you found Clinton, the spawn of satan, one of the four horsemen ... you fell into WW3 loads of work now just to stay alive.

Does one of the horsemen of the apocalypse go by the name of cankles in another tongue.


Sam.Spade's picture

You are mistaken about the jobs, mainly because it isn't technology that took them all away.  It was printed money and the status of the FRN as the world reserve currency.  If you doubt that, take a look at the history of Spain before, during, and after Columbus and the Inca gold.  Same thing.  Spaniards could buy everything cheaper than they could make it, so the average peasant became unemployed unless he was in line to receive some of that new-world gold.

If we go back to honest money, and avoid WW3, the jobs will all come back.

GeezerGeek's picture

Speaking of artillery, I recall reading that Germany never practiced for naval battles south of the equator. In a minor skirmish with some British ships they found out about the coriolis effect the hard way. I believe it was during WW I, but I read it a long time ago and don't recall all the details.

Rusty Shorts's picture

Well..the Earth was flat back then, the Limeys were looking at there own maps, so you can't blame that on the Germans...

38BWD22's picture



And they want to ban cash...  Just wait for all the fun when hackers (and .gov) go crazy working to steal your money from your bank accounts...


NoDebt's picture

Russian ICBMs work off celestial navigation.  US ICBMs use wicked-precise gyros with a celestial backup.

Either will get where it's going just fine without GPS.  And you can't fool them with chaff or electronic counter-measures.  Once they're out of the boost phase there ain't no calling them back, there ain't no self-destruct signal either.

Have a nice day.

knukles's picture

One of my ex-Navy captain acquaintances many years ago told me that alongside celestial navigation, courses in "old fashioned radio maintenance and repair" (tubes) and Morse Code had been dropped, increasing the reliance and risks thereof on satellite data and transistors
Also was mentioned by somebody that every time a simulated conflict is run, the Op-For knows to First knock out the US GPS.  Never fails.

LadiesLoveCoolJames's picture

Yeah, my friend told me they don't even teach the boys at West Point how to shoe horses anymore. What happens when the cars don't work. Big shot Westies will all be screwed!

CNONC's picture

I know you're being funny, but I was recently talking with a just seperated Army E5, and he professed a great knowledge of land navigation.  He had no idea how to locate himself on a topographical map, or to match his surroundings with the features on that map.  Without GPS, he coulld not call for fire, call for evacuation, move toward an objective, or return to base. 

The boys at West Point, by the way, are taught how to use LPCs.  That is the fall back position when the vehicles stop.

(Leather Personnel Carrier, if you didn't already know)

LadiesLoveCoolJames's picture

For me, I just stop at the nearest sheep herder or camel salesman and ask for directions. No shame in my game.

NidStyles's picture

Not all E5's are made equal, and not all are required to know how to do this anyways.

CNONC's picture

Hard rank e5, tanker. Absolutely should have known.

cossack55's picture

Reminds of when the smart boys were laughing at the tubes in the new Mig-25 Foxbat when that cat defected with one to Japan. Ooops.  Fly after a nuke attack. Imagine that.

cheech_wizard's picture

This is what is known as "WINNING". 

Standard Disclaimer: In other circles, this is called "American Exceptionalism".

Donald J. Trump's picture

I for one have lost my ability to navigate without gps.  it's not that I never knew how to, it's just I forgot or something.  now I need gps to get me to the most basic places.

GeezerGeek's picture

HRC gets places by having others carry her. Different strokes for different folks.

coast's picture

not that it matters, just sayin, joel skousen on alex jones radio show pretty much said the same thing...the boots are waking up, but the higher ups are in disneyland or some far off world that doesnt exist.

GeezerGeek's picture

It's hard to hack a sextant - sorry, Putin. They can get bent, which may affect accuracy. They are also immune to EMP.

After learning celestial navigation as a backup method, perhaps they can start teaching people how to add, subtract, and use a slide rule. K&E forever!

CNONC's picture

I carried a slide rule with me until about 1988. As much as I love modern industrial machines and PLC controlled processes, I guess I'm a Luddite at heart.

JuliaS's picture

GPS can be spoofed by using ground-base transmitters. All of our naval destroyers and aircraft carriers are nothing more, in this day and age, than relay beacons for radio transmission. They can provide GPS signal backup if needed.

Without GPS we loose much of real-time data, but infrastructure still remains largely where it is. Non-mobile targets like missile silos, power plants, air fields all stay in the same position, so if the GPS networks go down, we'll still be able to hit targets.

Modern missiles have built-in cameras, carry computers on-board and can recognize surface features autonomously, when needed. They can hit targets by performing SFM analysis.

Military reliance on GPS, I believe, is overblown. Consumer market has no backups. A car GPS does not automatically switch to dead reckoning when entering a tunnel or going between tall steel-beam structures that echo the GPS ping.

Regarding star-chart navigation - I don't think it's a necessary form of backup. You're not going to be sending rockets or firing torpedoes using star charts. If you're at a point where you have to wait for a clear night sky to run your systems - you've already lost the war.

Sam.Spade's picture

What evidence do you have that military GPS can be spoofed?  Jammed, OK.  Not civilian GPS, but military, as, for the latter, the signal is encrypted, so why do you think it can be spoofed?

pitz's picture

Most, if not all commercial aircraft that fly overseas still maintain inertial navigation systems to back GPS up. 

Self-driving cars are hugely vulnerable because GPS denial really isn't all that hard. 

Sam.Spade's picture

You are mistaken in your comments about celestial navigation taking years to learn.  Most of the seven-day wonder navigators during WWII learned it in a few weeks.  And now, thanks to hand-held programming calculators, it's easier to reduce sights than it was then.

I lived on a sailboat for many years and carried a perpetual almanac (about the size of a thinner book) that I used to reduce my sites.  With the bouncing deck of a small craft, the cheap quality of a good plastic sextant, and the accuracy reductions inherent in the almanac, I still was able to get within 10 miles which was almost within the distance to the horizon and well within visual range of any land.

crazytechnician's picture

Once IoT devices use blockchain enabled keypairs DDoS attacks will become obsolete.

Gilnut's picture

WTH does a blockchain enabled keypair have to do with the IP stack or service queue of servers?


DDoS is the drowning of a server in requests so that legitimate traffic cannot be processed.  DDoS will never be obsolete and will forever be effective.  This is the "caveman club" of the Internet.

NoDebt's picture

Hulk smash internet!!

War Machine's picture

Except that having some redundancy (multiple 'addresses') is an easy fix... One that, I have heard, many porn sites have employed for years.

Gilnut's picture

LOL.  Yup I'm sure some company is going to pony up for 50k servers so they can defeat that 50k to 500k node DDoS botnet.  Yup, yessiree you betcha.

 I've been doing this for 30+ years, no way to protect for a DDoS attack from an experienced attacker.  Period.

Anyways, it doesn't matter the DDoS attack is not the 'real' attack anyways.  It's the cover attack to do the real dirty-work while everybody is scrambling and trying to get their shit fixed.  Keep an eye out for some possible nasty shit popping up at a later date.

crazytechnician's picture

It will mean IoT devices cannot be hacked in the first instance so cannot be used in a botnet.

Overflow-admin's picture

What protocol do you use for bitcoin transactions? TCP.

Take a long course about Level 4 of the OSI stack. You know NOTHING.

crazytechnician's picture

TCP or UDP , that's irrelevant. Once IoT devices use blockchain keypairs for root access , just like a bitcoin wallet does , physical devices will no longer be hackable and therefore cannot become nodes in a botnet. Just a matter of time.

sleigher's picture

Access linux box.

create account.

edit /etc/passwd and change made acct UID to 0


sleigher's picture

Any account can be have root access if you change the UID to 0.   So a local privilege exploit may allow an edit to /etc/passwd.  The actual root account won't be needed in such a case.

techpriest's picture

An IoT device is just a computer, usually a Linux box (because you can fit Linux in small spaces). However, it is connected to the Internet, and 99.99% of users do not know how to peform updates, read the logs, etc., and this computer is just sitting there, un-updated, on the Internet. It's configured to send info out too, and for "security" it mgiht be that the home company has a back door to inject "updates," isn't that cute?

Finally, given the countries of origin plenty of enterprising individuals can make the DDoS bot come standard, so they get a little commission on every sale made to you.

Atomizer's picture
Beware, This Trojan Opens Backdoors On Linux Computers

There was a more detailed article, cannot find it. 

trader1's picture

Architecture uber Alles.

AllTimeWhys's picture

Call Buffalo Wild Wings