On Friday (21 October), cyber-criminals mounted a global DDoS attacks on internet services firm Dyn. While it was not immediately clear who was responsible. The U.S. Department of Homeland Security and the Federal Bureau of Investigation were both said to be investigating.
The attack severely impacted Dyn’s clients, which include Twitter, Reddit, Spotify, SoundCloud, among others. Just a few hours after Dyn claimed to have restored services, hackers hit again, leading the firm’s engineers scrambling to mitigate the second wave of the attack.
The size of these DDoS attacks has increased so much lately thanks largely to the availability of tools for compromising and leveraging the collective network power of Internet of Things (IoT) devices. Poorly secured Internet-based security cameras, digital video recorders (DVRs) and Internet routers.
Last month, a hacker named Anna_Senpai released the source code for ‘Mirai’, a crime bot that enslaves IoT devices for use in this type of large DDoS attacks. The 620 Gbps attack that hit the KrebsonSecurity site last month was launched by a botnet built on Mirai and speculation that this latest attack used the same type of botnet are not without merit.
Update: Flashpoint Intelligence has linked this attack to Mirai.
Mirai uses routers + cameras
The Mirai botnet consists of tens of thousands of Internet-connected devices, including unsecured routers, DVR machines, and cameras. These IoT devices have proven vulnerable to simple hacks, giving hackers access to vast networks of computing devices able to generate extraordinary volumes of traffic–the key ingredient to DDoS attacks.
Brian Krebs highlighted a list of devices + their manufacturers who have released routers and cameras which can easily be subverted using the Mirai botnet to become soldiers in this cyber battle.
The vulnerabilities have mostly come about because their manufacturers ship these devices with default usernames and passwords, and in many cases, they are placed outside the firewall, or using a firewall protocol called Universal Plug and Play (UPnP).
UPnP allows these devices through the firewall
The US Government via US-Cert is recommending a number of preventative steps, including owners of firewalls disable UPnP where possible.
Preventive Steps
In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:
- Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
- Update IoT devices with security patches as soon as patches become available.
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
- Purchase IoT devices from companies with a reputation for providing secure devices.
- Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
- Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
- Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
- Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.
Our recommendation: if you’re a business, don’t use a consumer-grade camera, or router. You need a fully featured firewall, not a toy. Get a business-grade firewall, such as a Sophos UTM or WatchGuard Firewall.