Distributed Denial-of-Service (DDoS) attacks exploit the very foundation of online connectivity. By targeting the foundation of your website’s infrastructure, attackers can cause millions of dollars in damage and cut their victim off from your online presence. Since 2016, Internet of Things (IoT) devices have rapidly strengthened the ranks of DDoS botnets: now, over half a decade later, the number of online devices continues to grow exponentially. The impact of this ricochets off business and government organizations, making DDoS protection an important part of any modern organization’s defenses.
How DDoS is a universal threat
When you try to load a web page or access an application, your request is routed from your browser through your network to the hosting server. This server takes care of processing such a request by identifying and sending back the exact page you want to see. This cyclical process of query processing is the basis of the Internet: Google alone monitors the processing of 3.5 billion queries per day.
DDoS attacks aim to disrupt the legitimate traffic that an attacked server, organization or network normally relies on by overloading critical infrastructure. Returning a page requires the server to devote a small amount of processing power to this task. Each request can consume small amounts of power, but this scales directly with the number of users requesting a page. When a victim is attacked by the DDoS botnet, each bot is individually armed to continually send requests to the victim’s app or website. This sudden influx of requests puts an incredible strain on the supporting servers; It’s also impossible to simply block the flood of incoming IP addresses, as each device looks identical to a legitimate user.
In the days of on-prem server stacks, DDoS attacks could easily wipe out a company’s online presence: the computing power would exceed the server’s capacity and simply render the website inaccessible to legitimate users. Now, however, cloud computing has freed small businesses from on-premises servers. The scalability of cloud-based server providers can mean your website can weather the technical storm—at a significant cost that’s falling for businesses.
The role of the IoT
The strength of a DDoS attack largely depends on the size of the supporting botnet. A botnet simply describes the attacker’s collection of internet-connected devices, or “bots”. These are recruited via fast-spreading, silent malware that aims to covertly control aspects of the device’s connectivity. The typical picture of a botnet is a small collection of PCs and laptops – after all, you surf the Internet with them. However, the Internet of Things (IoT) has provided remote peripherals for websites since the early noughties. From baby monitors to smart fridges, IoT devices have revolutionized the way we gather information about the world around us. The relatively small and peripheral nature of IoT devices means that not only is each individual likely to own multiple different devices, but the individual security of each often goes woefully disregarded.
Mirai was the first program with the explicit goal of recruiting these low-security IoT devices. By 2017, the number of IoT devices worldwide reached 8.4 billion. Mirai took advantage of this in a particularly clever way: IoT devices are inevitably connected to the Internet. Mirai scanned large parts of the internet for open telnet ports, and after detecting a connected IoT device, the malware simply attempted to log in using the 61 most common default credentials. Such a simple botnet recruitment process enabled Mirai to quickly amass an army of compromised individuals worth millions
Mirai was first created in 2016 by a student named Paras Jha. As an avid Minecraft player, he had already discovered the potential for making money in the server hosting Minecraft economy. The bitter rivalry between server hosters fuels constant skirmishes as servers launch crippling DDoS attacks against one another in hopes of engulfing the resulting exodus of players. To wipe out his competition forever, Jha created Mirai and then tested its destructive potential on his university’s systems. These attacks regularly coincided with important semester dates such as midterms and registration. While secretly coordinating these attacks, Jha also reached out to the university’s IT team, claiming he could stop these attacks if he was hired. After concerns that the student was under scrutiny by law enforcement, Jha released the source code for Mirai on the internet.
Just two months after the code was released, another threat actor recognized Mirai’s true destructive potential. On October 12, Mirai’s botnet wiped out internet connectivity across the US east coast. Mirai had been targeted at ISP Dyn, which, among other things, provides DNS services for high-profile websites and supports the browsing habits of millions of end users.
IoT developers must take responsibility
Over the past decade, the meteoric rise of IoT devices has far outpaced industry security measures. In the first half of 2022, the number of IoT vulnerabilities increased by another 57% compared to the previous six months. Only recently have developers been forced to face the security of their many IoT products head on: Vendor self-reports have increased by 69% over the same period.
The industries leading this security-focused IoT adoption are primarily medical. This is critical as operational technology continues to be a leading component of the future of IoT. More requirements need to be placed on vendors to adequately support and fund vulnerability disclosure programs.
For public organizations, the threat of IoT vulnerabilities is ever-present, even if IoTs are not directly involved in your tech stack. DDoS mitigation providers protect your website by detecting suspicious spikes in network traffic: once activated, all traffic is redirected to a high-volume gateway server. This relieves your own infrastructure and enables a more detailed analysis of the incoming traffic. Adding a verification process to the incoming requests then makes it possible to separate the malicious attack from your legitimate users.
