The Internet Of Poorly Secured Things Is Fueling Unprecedented, Massive New DDoS Attacks
from the build-it-poorly-and-they-will-come dept
Last week, an absolutely mammoth distributed denial of service (DDoS) attack brought down the website of security researcher Brian Krebs. His website, hosted by Akamai pro bono, was pulled offline after it was inundated with 620Gbps of malicious traffic, nearly double the size of the biggest attack Akamai (which tracks such things via their quarterly state of the internet report) has ever recorded. Krebs was ultimately able to get his website back online after Google stepped in to provide DDoS mitigation through its Project Shield service.According to Krebs, the attack came, he believes, after he began digging more deeply into various gangs that deliver DDoS attacks on-demand. And according to Krebs, this time they had the help of the hystercially piss poor security of the internet of things (IoT) industry:
"There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords."So not only are "smart" refrigerators, TVs, tea kettles and power outlets leaking your unencrypted data to any nitwit with a modicum of technical knowledge, they're being utilized to amplify existing attacks on security researchers who are actually trying to make things better. The attack comes directly on the heels of Bruce Schneier warning us the check is about to come due -- after IoT companies and evangelists that prioritized hype and sales over security fundamentals helped introduce millions of new network attack vectors into the wild over the last five years or so.
In a recent blog post, Schneier also noted that these larger DDoS attacks come as multiple groups and individuals (likely nation state sponsored hackers) have begun probing for vulnerabilities on an unprecedented scale:
"Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure."And they're finding, as many have warned, millions of poorly secured Internet of Things "smart" devices with stupid default passwords -- or in many instances no security at all. In most instances the buyers of these products are utterly clueless of their participation in these botnets, and very frequently these devices don't give the end user transparent end control over what's being sent over the network anyway.
In a follow-up blog post by Krebs, he makes it clear that in addition to being immensely dangerous (potentially fatal if the right systems are targeted), these larger scale DDoS attacks propped up by the IoT should also be seen as a growing assault on free speech. After all, few independent journalists would be able to afford the kind of DDoS mitigation technologies necessary to truly stop these new, larger attacks:
"In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.For a country that likes to talk a lot about cybersecurity (mostly to justify awful government policy like backdoors that make us less secure than ever), the United States isn't doing all that much to mitigate the looming threat. Much like Schneier, Krebs calls for a more coordinated effort by industry and government to wake up and begin greater institutional-grade collaborative efforts to shore up our collective security before things spiral out of control:
"I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections."And it probably goes without saying that this threat looms as we ponder electing two of the least technically sophisticated Presidential candidates in recent memory. These are two researchers who aren't prone to hyperbole, so it seems like we might just want to take their advice before the Internet of Things devolves from a running gag into a potentially fatal shitshow.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: brian krebs, ddos, iot, security
Companies: akamai
Reader Comments
Subscribe: RSS
View by: Time | Thread
Gentlemen, start your firewalls!
It's sad its come to that.
[ link to this | view in chronology ]
Re: Gentlemen, start your firewalls!
[ link to this | view in chronology ]
Re: Re: Gentlemen, start your firewalls!
[ link to this | view in chronology ]
Re: Re: Re: Gentlemen, start your firewalls!
[ link to this | view in chronology ]
Re: Re: Re: Re: Gentlemen, start your firewalls!
Until these things become more accessible (i.e. automated), it's an issue for the average Joe.
[ link to this | view in chronology ]
Re: Gentlemen, start your firewalls!
[ link to this | view in chronology ]
Re: Re: Gentlemen, start your firewalls!
[ link to this | view in chronology ]
Re: Re: Gentlemen, start your firewalls!
[ link to this | view in chronology ]
Re: Re: Gentlemen, start your firewalls!
How would an unhacked IOT device have anything to do with changes to DNS or NTP unless it was designed to be a hacker tool to begin with?
[ link to this | view in chronology ]
Re: Gentlemen, start your firewalls!
[ link to this | view in chronology ]
It's all an attitude problem.
"God himself couldn't sink this internet!"
[ link to this | view in chronology ]
"Akamai would cost between $150,000 and $200,000 per year."
Damn that free speech hating Google.
Whatever's head is going to explode.
[ link to this | view in chronology ]
This is why self-driving cars must be banned
Which means that every car coming off the assembly lines, as well as all the ones that already have, is a bot waiting to happen. And self-driving cars aren't magically exempt from this.
As I've so often said, if someone else can run arbitrary code on your computer, it's not your computer any more. When that computer is a laptop sending spam, this is annoying. When that computer is managing a multi-thousand pound vehicle moving at 65MPH in traffic, it's a catastrophe.
[ link to this | view in chronology ]
Re: This is why self-driving cars must be banned
However, with self driving, the blame can go squarely on the manufacturers which will bring an inherently similar problem. That is MFG claiming that their tech must be proprietary to protect it, which is a load of shit but so are politicians. And when you put two loads of shit together you get a couple of somethings in competition to stink to higher heavens.
[ link to this | view in chronology ]
Re: Re: This is why self-driving cars must be banned
Tell me about the ways that they can be sabotaged without ever coming into physical contact with them.
Tell me about the ways that they can be sabotaged in milliseconds.
Tell me about the way that they can be sabotaged without being detected by competent mechanics or even expert mechanics.
Tell me about the ways that they can be sabotaged while passing by at 65 MPH.
Tell me about the ways that they can be sabotaged en masse.
Tell me about the ways that they can be used to sabotage other cars.
Tell me about the ways that they can be placed under remote control individually or as a group.
[ link to this | view in chronology ]
Re: Re: Re: This is why self-driving cars must be banned
Is it that something must satisfy all or just one of these?
I'm pretty sure a spike strip on the highway at night would handle most of these on any traditional car.
Banning something outright because we can come up with scenarios that "make it dangerous" would have prevented the wheel from being used. While there are certainly security issues to be fixed with self-driving cars - and these are a big problem - they are currently safer than human driven cars and getting safer every day.
Oh, and self-driving cars don't need to have critical systems hooked to the internet.
[ link to this | view in chronology ]
Re: Re: Re: Re: This is why self-driving cars must be banned
You're deliberately ignoring the huge difference of scale between sabotaging traditional cars and internet-connected ones, and the serious warning signs that these vulnerabilities are being ignored and security treated as an afterthought.
He's ignoring that these issues exist in all internet-connected cars, not just self-driving ones, and proposing an unrealistic and excessive solution to a(n admittedly real and serious) problem.
What we actually need is for auto companies to start taking security seriously. Unfortunately, for that to happen will require either sensible regulation or market incentives. What's unfortunate about that is that we don't have a Congress that has the knowledge or the inclination to pass sensible regulations, and "market incentives" here mean *people start dying*, because I'm very much afraid that's what it's going to take before auto makers' profits are impacted enough for them to start prioritizing security.
[ link to this | view in chronology ]
Re: Re: Re: Re: This is why self-driving cars must be banned
A security vulnerability in a self-driving car means that (at least) all those of the same make/model are vulnerable simultaneously.
Don't picture one car going out of control. Picture every single one of that make/model on the highways within 15 miles of a city center being taken over during evening rush hour -- and turned into a directed precision-guided kinetic weapon. Now picture it happening in two cities, or twenty.
The risks are incredibly higher for self-driving cars. (They're not nonzero for non-self-driving cars carrying sophisticated computer systems, by the way, but those would be harder to commandeer. Self-driving cars are DESIGNED to be driven via automation.)
And on September 27, 2016, there is absolutely no sign whatsoever that auto makers are paying the slightest attention to the myriad security issues out there -- well, other than by trying to silence the researchers who found them, denying them, and lobbying Congress to make sure that it stays just as ineffectual as it has to date.
It will probably take a horrible incident like the hypothetical I posed above to spur action on this. It will be too late, MUCH too late by then, of course: you can't retrofit security. Not really. Not effectively. It has to be designed-in from the whiteboard stage. And we're already well past that. But there will be the usual calls for Something To Be Done and it will be: badly.
Maybe I'm wrong. I hope I'm wrong. But I doubt it.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: This is why self-driving cars must be banned
But (1) that's technically not a self-driving car and (2) that could very well be a reaction to the scrutiny Tesla's Autopilot feature has gotten over the past few months since there have been a couple of fatalities.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: This is why self-driving cars must be banned
A blinding light, an extremely loud sound, etc. Heck, a disabled car on the side of the highway causes traffic jams and collisions all the time these days. The idea that a hacker could cause all self-driving cars on a stretch of highway stop seeing obstacles is scary, but I'm not sure it would be any more difficult to do it to people than it is to do to an autonomous car.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: This is why self-driving cars must be banned
Yes, BUT, and this is what you're missing, the scale is limited. The most catastrophic human-caused traffic accidents -- cascading highway pileups, usually in bad weather -- are extremely localized and very limited. Figure a quarter mile and a hundred cars as a rough idea of the scale.
Now multiply that by dozens for one city. Now multiply that by dozens for multiple cities. Now factor in that it can be done again an hour (because nobody will be able to react quickly enough to stop it). Now factor in that it WON'T be an accident, that is, that it will be done deliberately: accelerators engaged, not brakes, and cars steered into each other, not away.
Think that's far-fetched? Okay. Listen:
15 years ago, the only people people who envisioned the possibility of an enormous global network of bots were those who'd read John Brunner's The Shockwave Rider and those who'd had some exposure to software worms. A few years later, there were over a hundred million. The scale of the problem became intractable in an alarmingly short time, and the only reason consequences haven't been worse is that almost none of those systems have control over physical devices. But they've been bad enough: billions have been expended fighting them and yet they continue to do damage to Internet infrastructure.
We are now seeing the same thing happening with the IoT, because -- apparently -- people were too stupid, too lazy, too ignorant, and mostly too arrogant to learn from the last episode. This includes the people building self-driving cars, who are so full of self-admiration that they're not considering what will happen if they succeed.
"We were so concerned with getting out that we never stopped to consider what we might be letting in, until it was too late." --- Leela Alexander
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: This is why self-driving cars must be banned
There are multiple ways to massively mess with mechanical devices, they are just not as practical as attacking an electronic device that was never given proper security to begin with. Look at the killdozer, he only needed to molest a single mechanical device to fuck with a lot of others. Are you going to say that because bulldozers can easily be converted into cheap but damn effective tanks should be outlawed as well?
Manufacturers these days cannot resist the call to keep their creations connected and compromised at all times. The plebs known as consumers are entirely ignorant of the risks and essentially do nothing about it. There are quite a few ways that electronics can be made to be remotely unhackable.
[ link to this | view in chronology ]
Re: Re: Re: This is why self-driving cars must be banned
Or just a couple of nukes?
I'm pretty sure either of those would satisfy most of those criteria ;)
[ link to this | view in chronology ]
Re: This is why self-driving cars must be banned
[ link to this | view in chronology ]
Re: Re: This is why self-driving cars must be banned
Unless they are forced to treat IoT, cars and similar things especially, as military-grade in terms of hardening, not allowing unnecessary bundling of systems and limiting connectivity, with with a well coded and tested RTOS, well we are just waiting for worse things to happen. They always do. Rights and ideals or not, no innovation or market is going to cause these things to be fixed as they should be. It has not happened so far. Regulation is a crapshoot and then we have people discussing how much it hurts innovation with unnecessary burden. And it could make things worse. Or it could be entirely clueless.
I don't have any suggestions other than what you have already pointed out. Only no one is going to do it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Smart Refrigerators?
'Smart' appliances are expensive! Who the hell can afford one?! How could they even be such a problem!
[ link to this | view in chronology ]
Re: Smart Refrigerators?
[ link to this | view in chronology ]
Re: Re: Smart Refrigerators?
Your data overages from your water heater running a DDoS attack might cost you more than you save.
[ link to this | view in chronology ]
Is 620 Gbit/s really that much?
The amount of bandwidth available to individuals also hints at a possible solution: peer-to-peer delivery. Krebs is publishing basically static content. He could attach a digital signature to each article and put it on BitTorrent. Realistically, we need to make something like this that's more usable--built in to browsers, allows comments, doesn't publically reveal who's reading, etc. And BitTorrent isn't great for tiny files. Still, it seems like something that would just need a bunch of hard work rather than years of research.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Suing companies for security negligence is (like suing anybody) something of a crapshoot. But if it starts to happen often enough, and harm enough companies' reputations, it could make a real difference.
[ link to this | view in chronology ]
Re:
a) illegal;
b) an actionable tort.
If there is no law requiring them to secure them, then there is no illegal act.
To bring a tort action, you'd have to also prove that you HAVE been (not could oneday mighta sorta be) actually damaged.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
An excuse to pass more laws that restrict citizen rights in the name of protecting that which they intentionally left exposed.
[ link to this | view in chronology ]
Re:
IoT devices are insecure because it's cheaper and easier than making them secure. No need for any shady backroom scheming.
[ link to this | view in chronology ]
surpise on how often simple things are open
[ link to this | view in chronology ]
Re: surpise on how often simple things are open
- Steve Gibson
[ link to this | view in chronology ]
Perspective
Right now the movie with the largest number of seeds on TBP is the new Tarzan movie (counting only HD movies.) It is 1.69GB, which is fairly standard for HD Video torrents, and has 2424 seeds. Now, due to the way BitTorrent works, nearly all of those seeds do NOT have a full copy of the movie yet. Let's go for a simple answer and say they all have 1GB of the movie downloaded thus far.
This attack uses the same amount of traffic as 77 of those seeders, but it uses it EVERY SECOND, which they certainly do not.
Now, dividing 2424 by 77 gives us 31 seconds. This means that every 31 seconds, this attack uses more bandwidth than the TOTAL used by ALL of the seeders on the most popular HD Movie torrent on TPB.
Assuming this torrent lasted for 30 minutes - which would make it a very short DDoS attack by most standards - that means that this attack used the same amount of bandwidth as 138,600 seeders would on a typical HD movie torrent.
Now...didn't the MPAA say that a "majority" of traffic on the internet was caused by piracy?
Given that this attack alone used more bandwidth than the sum total of the first 2 pages of HD Movies on TPB COMBINED, can we declare that statement from the MPAA totally bogus yet?
Source: Common sense and a basic calculator.
[ link to this | view in chronology ]
Re: Perspective
-The MPAA
[ link to this | view in chronology ]
Re: Perspective - krebs was a test
[ link to this | view in chronology ]
Re: Perspective
...people want to watch the new Tarzan movie?
[ link to this | view in chronology ]
Could we have an attack this election?
Besides all I want out of this election is chaos, and that would bring it while showcasing an important issue.
[ link to this | view in chronology ]
Im_not_JB's argument
Massive networks of bots (whether traditional computers or IoT devices) are very dangerous tools; TechDirt at least acknowledges this (though, it takes "their guy" getting his ox gored for them to realize it). In order to go after these people, law enforcement may have to take actions which manifest on devices in many different jurisdictions. This can effectively kill their progress, because it requires a ton of manpower to actually go to every single district in the country and file redundant paperwork and get everything coordinated/approved on some semblance of a schedule so that they can go, ya know, do police work. Part of the Rule 41 update is to fix this problem. Now, they still have to go get a judge's approval, but they don't have to get 50 judges approvals for the same thing at the same time. Instead, they can take all the info to one judge (in a jurisdiction where a crime has been committed by said criminals), and he can approve a warrant for the botnet. He still needs suitable probable cause, and the warrant still needs a particularity requirement (i.e., they can't just go rooting around in your computer looking for evidence of unrelated crimes).
Next time, when you're reading the latest breathless TechDirt outrage word salad on Rule 41, remember this breathless TechDirt outrage word salad. Here, they're crying, "Something must be done!" Later, when they see that something reasonable is being done, they'll obstinately ignore any actual facts in order to whine that the government is doing things!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Who has the money
Most of the people I know can barely afford to have a five year out of date smart phone and a seven year out of date laptop as their primary computing platforms. Leftovers from when they were in college.
[ link to this | view in chronology ]
Re: Who has the money
[ link to this | view in chronology ]
Re: Re: Who has the money
[ link to this | view in chronology ]
Have ANY of our Presidential candidates since Herbert Hoover been technically sophisticated? Sure, we've had Dr. Ben Carson and Dr. Ron Paul, but they've never come close to getting elected, and their field of expertise is medicine, not computer science.
[ link to this | view in chronology ]