When IoTs Become BOTs, The Dark Side of Connectedness


Each day our lives become more connected. We revel in our mastery over our domain as we tap on smart phones to change the heat in our home, see who’s at the front door or remotely start our car on a snowy morning. Connectivity makes our lives easier, and more enjoyable. There is a dark side though to all of this connectedness, if we can control these devices then it’s possible others can as well. Last Friday we saw a harbinger of what can be achieved with Internet of Things (IoT) devices that are poorly designed. At one point Dyn reported 10s of millions of IoT device IP addresses that were sending them huge volumes of bogus network traffic. Dyn is one of the root Name Servers on the Internet. This congestion effectively slowed access to a crawl for east coast US users of Amazon, Twitter, Github, Reddit, and many other popular sites.

The compromised IoT devices all appear to be built using the Swiss Army knife of Embedded Linux, BusyBox, and as such might not be readily patchable. Most of these IoT devices are webcams, smart DVRs, and home routers, but they are just the tip of the 1.2 million device iceberg that is the Mirai Botnet. To put this number in perspective the current active duty strength of the US Armed Forces is nearly the same number, 1.28 million. Image all of our active duty military sitting at keyboards running programs to attack a single website, that’s the power that “Anna_Senpai” the single person behind Mirai wields. Now by contrast Mirai isn’t the largest BOTnet we’ve ever seen, others like Conficker or Cutwall were larger, but this is the first one built entirely of IoT devices.

So how can we cut Mirai off at the knees? Well it’s actually pretty simple, create a unique userid and password on all your IoT devices. All the devices in Mirai were hijacked because the owners of these devices never changed the product’s default userid or password. If you’re still running with the defaults on your home router, and other IoT devices, please change them now. You may be a slave to Mirai, and not even know it.

What if you’re the next target for Mirai, how can you defend yourself? Turns out Dyn wasn’t the first victim, a month earlier Mirai was used to attack Brian Krebs, noted cyber security blogger. Brian Krebs had recently published an article on a company that sold DDoS as a service. At its peak the DDoS assault against his Blog reached 620 Gigabits/second, effectively silencing Krebs for a short time. When attackers are this diverse the most effective solution is often to distribute the attack load across numerous devices and deploy special hardware filtering in silicon at the edge that is designed to mitigate these attacks. In Brian Krebs case he moved over to Google’s “Project Shield” a platform designed to host journalists who otherwise might be silenced by DDoS attacks.

russell_sternRussell Stern has served as President and CEO at Solarflare Communications since 2004. He was formerly President and CEO at JNI Corporation in San Diego, California. Prior to JNI, Stern served as General Manager and COO at Quantum Corporation.


Comments are closed.