While an odd back and forth has emerged between Xiongmai, the Chinese video surveillance manufacturer whose "smart" video camera equipment was blamed by numerous sources blame for driving massive Internet attacks last Friday, accusations which the Chinese company first admitted by then denied, far bigger mass attacks may be in store. As Forbes first reported, hackers are now selling access to a huge army of hacked Internet of Things (IoT) devices designed to launch attacks capable of severely disrupting web connections. The finding was revealed just days after compromised cameras and other IoT machines were used in an attack that took down Twitter, Amazon Web Services, Netflix, Spotify and other major web companies.
In the report, RSA is said to have discovered several weeks ago that hackers were advertising access to a huge IoT botnet on an underground criminal forum, though the company declined to say which one. (F-Secure chief research officer Mikko Hypponen said on Twitter after publication that it was the Tor-based Alpha Bay market).
“This is the first time we’ve seen an IoT botnet up for rent or sale, especially one boasting that amount of firepower. It’s definitely a worrying trend seeing the DDoS capabilities grow,” said Daniel Cohen, head of RSA’s FraudAction business unit.
And speaking of firepower, all those unprotected smart devices sure add up: the seller claims they can generate 1 terabit per second of traffic. That would almost equal the world record DDoS attack, which hit French hosting provider OVH earlier this month at just over 1 terabit.
So how much will it cost an angry luddite hell bent on taking down the internet, if only for a short time? Not much: for $4,600, anyone could buy 50,000 bots (hacked computers under the control of hackers), whilst 100,000 cost $7,500. Together, those bots can combine resources to overwhelm targets with data, in what’s known as a distributed denial of service (DDoS) attack.
While RSA's Cohen said he didn’t know if the botnet for hire was related to Mirai, the epic network of weaponized IoT computers used to swamp DYN – a domain name system (DNS) provider and the chief target of Friday’s attack – with traffic, Forbes said it was able to find a forum post on Alpha Bay from the seller, who went by the name loldongs, which noted they had created a Mirai-based botnet. The original post was on 4 October, just a few days after the Mirai source code was made available to everyone. In a later post, in response to another user’s request, loldongs claimed: “I can take down OVH easily.”
This is the seller’s post on the Tor-based Alpha Bay market, in which they claim to have
used the Mirai source code to create a botnet.
While hackers have long sold access to botnets, this may be the first occasion they have explicitly advertised their use of IoT devices like connected cameras, fridges and kettles. The infamous LizardSquad amassed sizeable botnets for its LizardStresser “booter” – a DDoS weapon for hire – but it largely compromised vulnerable routers.
That said, before angry customers splurge for the opportunity of taking down their most hated website, or DNS network, keep in mind last week's attack may not be repeated soon. According to Forbes, Twitter, Amazon Web Services, PayPal and others could’ve been better prepared too with something very simple: a secondary, back-up DNS provider.
“Companies using third party DNS providers ultimately may not want to put all their eggs in one basket. We’ve already seen PayPal, a Dyn customer, add DNS services for another provider in addition to Dyn,” noted security architect Kevin Beaumont for a global manufacturing company. “This will help mitigate problems for them in the future. It also works both ways and isn’t a slam of Dyn – for example, companies could use Dyn as an addition DNS provider.”
Another remedy might have also eased the pain for general web users.
When someone enters a web address, the DNS doesn’t always go through the same lookup process, routing right up to what’s known as the “authoritative” DNS server. Instead, the system can quickly retrieve a previously-stored (or cached) response from a nearby server, making the whole process that much quicker. The period during which those responses are cached is known as the “Time to Live” or TTL. The shorter the TTL the quicker everything goes up in smoke if the authoritative DNS server is wiped offline, noted a security researcher who goes by the name MalwareTech. So Twitter et al should look to make their respective TTLs that much longer, they said.
“A combination of short TTL and no redundancy is what led to the issues on Friday,” they added. “If [an affected site] had a TTL of, say, a day, as long as the DDoS attack is shorter than a day, most users would never notice anything.” According to CloudFlare security pro Filippo Valsorda, there’s an even better solution: rather than lengthening the TTL, just ensure there’s a permanent backup resource of records should anything go wrong. “You don’t need to get DNS results directly from the source. Results are the same for everyone, and can be valid for a while,” he told FORBES. “Here’s the point: if the global DNS system just kept replying with old results when the authoritative source – like Dyn – is offline, attacks on DNS providers would cause much much less disruption… There is no good reason resolvers should remove the results from the cache when the TTL expires, if they can’t reach the source to update it.”
With last week's hack in the history books, it is likely that internet service providers will take remedial measures to address similar cyberattacks. However, as millions of largely unprotected IoT devices emerge, it is only a matter of time before hackers find another exploitable loophole courtesy of a similar "oversight" to that by Xiongmai, especially if the price of admission is relatively low. We can hope that the next time such an attack does happens, it will likewise target largely irrelevant source of productivity-draining "social engagement", because should an unknown hacker go after something more critical, like NPPs or defense infrastructure, then a retaliation against the scapegoat du jour, which these days is generically Vladimir Putin, will have far greater consequences than Twitter being inaccessible for a few hours.