Distributed Denial-of-Service (DDoS) attacks exploit the very foundation of online connectivity. By taking aim at the foundation of your site’s infrastructure, attackers can cause millions in damages, cutting their victim off from their own online presence. Since 2016, Internet of Things (IoT) devices have rapidly bolstered the ranks of DDoS botnets: now, over half a decade later, the number of online devices continues to increase exponentially. The repercussions of this are ricocheting throughout business and governmental organizations, making DDoS protection a vital part of a modern organization’s defenses.
How DDoS Is A Universal Threat
When you attempt to load a webpage, or access an application, your request travels from your browser, via your network, to the hosting server. This server handles the processing of such a request, identifying and returning the precise page you want to see. This cyclical process of request handling is the foundation of the internet: Google alone oversees the processing of 3.5 billion requests per day.
DDoS attacks aim to disrupt the legitimate traffic that a targeted server, organization or network usually relies on by overwhelming its critical infrastructure. Returning a page requires the server to dedicate a small amount of processing power to that task. Each request may only draw small amounts of power, but this directly scales with the number of users requesting a page. When a victim is targeted by the DDoS’ botnet, each bot is individually weaponized to continuously send requests to the victim’s app or site. This sudden influx of requests places incredible strain upon the supporting servers; it’s also impossible to simply block the flood of incoming IP addresses, thanks to the fact that each device looks identical to a legitimate user.
In the days of on-prem server stacks, DDoS attacks could easily wipe out an organization’s online presence: the processing power would exceed the server’s capacity, and simply make the site unavailable for legitimate users. Now, however, cloud computing has unshackled small businesses from local servers. The scalability of cloud-based server providers may mean that your site can weather the technical storm – at severe, enterprise-sinking cost.
The Role of IoT
The power of a DDoS attack is dependent largely on the size of its supporting botnet. A botnet simply describes the attacker’s collection of internet-connected devices, or ‘bots’. These are recruited via fast-spreading, silent malware, which aims to stealthily control aspects of the device’s connectivity. The typical image of a botnet is a small assortment of PCs and laptops – after all, they’re what you use to surf the web. However, the Internet of Things (IoT) has been providing remote website peripherals since the early noughties. From baby monitors to smart fridges, IoT devices have revolutionized the way we collect information on the world around us. The relatively small and peripheral nature of IoT devices mean that not only does each individual likely own multiple different devices, but the individual security of each is often left shockingly unattended.
Mirai was the first program with the explicit goal of recruiting these low-security IoT devices. By 2017, the number of IoT devices reached 8.4 billion globally. Mirai took advantage of this in a particularly clever way: IoT devices are necessarily connected to the internet. Mirai scanned large swathes of the internet for open Telnet ports, and after a connected IoT device was discovered, the malware would simply attempt to log in using the 61 most common default login details. Such a simple botnet recruitment process allowed Mirai to rapidly amass an millions-strong army of compromised
Mirai was first created in 2016 by an undergraduate student named Paras Jha. An avid Minecraft player, he had already discovered the money making potential in the server-hosting Minecraft economy. The fierce rivalry between server hosters leads to continuous skirmishes, as servers launch crippling DDoS attacks against one another, hoping to gobble up the resulting exodus of players. Looking to wipe out his competition for good, Jha developed Mirai, then tested its destructive potential on his university’s systems. These attacks would consistently coincide with important term dates, such as midterms and registration. While stealthily coordinating these attacks, Jha also reached out to the university IT team, claiming he could stop these attacks if he were hired. After concerns that the student was under scrutiny by law enforcement, Jha released the source code for Mirai onto the internet.
Only two months after the code’s publication, another threat actor realized the true destructive potential of Mirai. On October 12th, Mirai’s botnet proceeded to wipe out internet connection throughout the Eastern coast of the US. Mirai had been targeted at the internet services provider Dyn, who – amongst other things – provide DNS services for high-profile sites, supporting the browsing habits of millions of end users.
IoT Developers Must Take Responsibility
For the last decade, the meteoric rise of IoT devices has vastly outstripped the industry’s security measures. In the first half of 2022, the number of IoT vulnerabilities increased by yet another 57% over the previous six months. Only recently have developers been forced to confront the security of their many IoT products head-on: vendor self-disclosures have increased by 69% in the same timeframe.
The industries leading this security-first IoT adoption are primarily within the medical fields. This is vital, as operational technology continues to be a leading component of IoT’s future. More demands must be placed on vendors to adequately support and fund vulnerability disclosure programs.
For organizations within the public eye, the threat of IoT vulnerabilities is ever-present, even if no IoTs are directly involved in your tech stack. DDoS mitigation providers defend your site by detecting suspicious spikes in network traffic: once engaged, all traffic is shifted over to a high-volume gateway server. This takes the pressure off your own infrastructure, and allows for closer inspection of the incoming traffic. By adding a verification process to the incoming requests, it then becomes possible to separate the malicious attack from your legitimate users.
