10 things to know about the October 21 IoT DDoS attacks

On Friday, October 21, a series of Distributed Denial of Service (DDoS) attacks caused widespread disruption of legitimate internet activity in the US. Because the attacks targeted the Domain Name System (DNS) that makes sure information requests on the internet are delivered to the right address, a lot of normal activities such as online shopping, social media interaction, and listening to music, were not possible for periods of time. The length of disruptions varied, but in some cases it was several hours.

Here are 10 things it is important to know about the 10/21 IoT DDoS attacks, and others like them.

  1. The 10/21 attacks were perpetrated by directing huge amounts of bogus traffic at targeted servers, namely those belonging to Dyn, a company that is a major provider of DNS services to other companies. This made it hard for some major websites to work properly, including Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, and the Playstation network. Beyond these high profile sites, it is likely that thousands of online retail operations were disrupted.
  2. The 10/21 attacks were made possible by the large number of unsecured internet-connected digital devices, such as home routers and surveillance cameras. The attackers employed thousands of such devices that had been infected with malicious code to form a botnet. The software used to crawl the internet to find unsecured devices is freely available. Even though some of these devices are not powerful computers, they can generate massive amounts of bogus traffic to swamp targeted servers, especially if you abuse a large numbers of them at once.
  3. The DDoS-enabling infections were made possible by the use of default passwords on these devices. Because the default passwords for most devices are widely known, anyone placing such a device on the internet without first changing the default password is, in effect, enabling attacks of the type witnessed on October 21, even if they are doing so unwittingly. Recent ESET research suggests at least 15% of home routers are unsecured (and the total number of home routers on the internet is probably on the order of several hundred million).
  4. Exploitation of unsecured digital devices on the Internet by malicious code can seriously disrupt daily life and economic activity in America. For example, it is likely that many millions of dollars in online sales were disrupted and revenue lost. Many companies had to divert resources to evaluate the impact of the attacks on their customers and employees and respond accordingly.
  5. There are some people who are willing and able to seriously disrupt daily life and economic activity in America by means of malicious code. They either don’t care that this negatively impacts tens of thousands of companies and hundreds of millions of consumers, or they are intentionally causing exactly these types of impact. The negative effect on the victims is the same regardless of the motives and intent of the attackers.
  6. Reducing the likelihood of future disruptions of this nature involves, among other things, convincing those who would abuse internet-connected digital devices for their own ends that this is a bad idea, while reducing the number of devices that can be abused.
  7. Reducing the number of internet-connected digital devices that can be abused is an achievable goal, one to which many members of society can contribute. Here are five tips for securing home routers that we published in 2014. Here are the top four actions recommended by US CERT in the wake of the latest attacks:
  • Ensure all default passwords are changed to strong passwords. (Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.)
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
  • Purchase IoT devices from companies with a reputation for providing secure devices.
  1. Malicious code infecting routers is nothing new, as this ESET research, reported in May, 2015 clearly demonstrates. The advice to change the default password on home routers and other internet-connected devices is definitely not new and has been reiterated many times. In 2014, We Live Security highlighted the discovery of 73,000 security cameras with default passwords.
  2. What is new is the massive scale of the DDoS attacks that are made possible by unsecured internet-connected devices, the vast Internet of Things. This does not bode well for IoT, which has already attracted criticism from privacy advocates concerned about the security of personally identifiable information handled by IoT devices. Indeed, a recent survey revealed that 40% of Americans are not confident that IoT devices are safe and secure, with more than half of those surveyed indicating they were discouraged from purchasing an IoT device due to cybersecurity concerns.
  3. What is the bottom line on the 10/21 IoT DDoS attacks? I think it is this: we have been shown just how vulnerable the internet, which is now an integral part of the critical infrastructure of the US and many other countries, is to disruptive abuse conducted at scale, by persons whose identity is not immediately ascertainable. Until this vulnerability is addressed, it will cast a serious shadow over the future of connected technology, a future in which much hope and massive resources have already been invested.

Author Stephen Cobb, ESET

  • Micheal Pannell

    Umm!! dumb idiots actually think they can cause the same scaremongering with the internet to force out greater governing and restricting powers. The government is at work again fooling the public. Imagine if every home had a smart meter. woah!!

  • e3mrk

    If it happened they must have missed Me,I had no problems.
    I agree with Micheal Pannell that it was a scare tactic .

  • Alex

    I’ve been trying to figure out why this is being discussed as an IOT device security failure and it turns out there is nothing wrong with IOT device security(yet). What I mean is that it’s not that security for IOT devices is not important, but this attack targeted very specific devices. And even then had people changed the default password, the security would have worked. People should realize a default password is like having no password (but I guess that’s the lesson learned here for the companies that even use default passwords).
    So it’s not like somebody hacked everyone’s cellphones, Alexa speakers, Tile trackers, Nest thermometers, Heart-rate monitoring devices, etc.
    When they initially said it was an IOT device hack I got excited because IOT is really broad and I was picturing a large range of consumer IOT products, but it was specific things. Routers aren’t even IOT products, they enable IOT products. Basically, the companies that do not allow the changing of the default password should be fined, the companies that do allow it should switch to mandatory password assignment system and get a warning, and everyone else whose devices hasn’t gotten hacked yet should know they can’t skimp on security.

  • Unfortunately, the threat is real. If you were unaffected, then good for you…you were lucky. The Internet of Things promises great potential, but it was sadly designed with security as an afterthought. Botnets are nothing new, so there would be no motivation for our government to fabricate these details.

    By the way, I’m probably more skeptical of the government that you are, lol. These botnets rely on just a couple of things: a sufficient volume of vulnerable devices and ease of access, either thru breakable passwords, like default passwords, or poorly written software that is unsecure.

    Many people don’t realize that the IoT is soon going to involve many devices in your homes being IP addressed and interconnected…even to the ridiculous level of your toilet having an IP address and therefore, vulnerable to attack.

    We should all embrace IoT for the huge opportunities it will grant, but at the same time, we must all agree to properly recognize how much bigger of an attack surface it has potentially created.

Follow us

Copyright © 2018 ESET, All Rights Reserved.