Look out Twitter, Amazon, and Facebook – as well as the internet community as a whole. A large botnet army is growing daily with over 2 million Internet of Things (IoT) devices currently under its control. The latest threat has been dubbed “Reaper,” and has quietly infected millions of IoT devices such as webcams, security cameras, and digital video recorders in the last few months.
The primary concern with this attack is that this large-scale army could hold websites hostage. These attacks happen in two phases. Phase 1 is simply showing their victims that its possible. For example, last October the Mirai attack against DYN root server (one of 13 master servers across the internet that’s used for locating resources on the internet) brought down the internet along the entire East Coast of the United States. This attack was conducted with 100,000 bots – far less than the 2 million that Reaper has under its control. In simple terms, 100,000 IoT devices sent data traffic targeted a DYN, so much traffic that the services being hosted by the company were not able to respond. This is a Denial of Service attack, but because it was distributed across the internet it is officially termed Distributed Denial of Service attack or DDOS. DDOS attacks are generally very difficult to protect against, although not completely impossible.
Phase 2 is the “shakedown” itself. Once the attacker has proven to their victims that they can, in fact, deploy a Denial of Service attack on their site, they will then threaten to bring it down during its peak period, like the holiday shopping season or a major event like the Super Bowl, unless a ransom is paid. If the ransom isn’t paid, the site goes down and businesses could quickly end up losing revenue. Most recently a DDOS attack was believed to be an extortion attempt on a Hong Kong gaming site.
You may be wondering what happens if a ransom isn’t paid. Let’s take a quick look at the financial impact of these types of outages. In 2015 Apple faced a 12-hour outage that cost them $25million dollars, while Amazon’s outage was estimated to have lost them $62,000 per minute. Smaller companies like Yellowknife Grocer lost about $20,000 for a two-hour outage. In a virtual world, these are the real life costs of cybercrime.
Protecting against DDOS attacks can be very simple – fix what is broken. In the old days (a few years ago), most DDOS attacks were performed by computers that were vulnerable to exploits. In 2006, a new, unprotected computer could be compromised in as little as 10 seconds. Today, however, attacks on unprotected computers are no longer measured, which speaks to the evolution of security from vendors like Microsoft, Apple, and Red Hat. Now, the threat is with IoT devices, which data shows can be infected in as little as 6 minutes after going on line. There are 7 billion devices online today and projected 26 billion by 2020. That’s 7 billion devices that have the protentional of being compromised right this minute, with more being added every second. Reaper has compromised less than half of 1% of these devices and is the most powerful botnet to date.
There are two ways to address this problem. The simple way, and frankly the best option, is to hold the manufacturers of these devices responsible for automated patching, updates, and other security measures. Software vendors like Microsoft and others have started building in automatic updates to enhance and protect their software, resulting in less support calls and a more secure operating environment. Vendors like Meraki have been doing this for years. Every Sunday, the device checks for updates and apply them. During the initial deployment, the device is updated to the latest version of the software. What is preventing this from happening across the board, however, is bottom line profits. In the case of Meraki, a year subscription provides the updates, however my Netgear wireless router – for example – is purchased once with no ongoing support. The user has to go and get the updates, which in most cases is not going to happen proactivity.
In a perfect world automated updates would mitigate threats in the same way Microsoft and Apple have. Unfortunately, we don’t live in a perfect world and we need to have a “belt and suspenders” approach to security. Which brings us to the second way to potentially avoid botnet attacks. We need to work with service providers to identify risk and mitigate them. Let’s not be so naïve as to believe our traffic is not monitored. In fact, in the United States we agree to it automatically, whether we realize it or not, when we utilize services from Verizon, Comcast, and others. ISPs need to publicly and actively monitor their traffic for abuse and exploits. If we can identity 2 million bots across the internet, we have a good idea of what traffic is being generated from which network. ISPs have the ability to mitigate botnets and their effectiveness by shutting down the source, all within the service level agreement that users agree to when subscribing to the service. Although this opens a can of worms and could be a slippery slope, we must do something to migrate these threats as a community.
We have community policing in the real world, and now it’s time to extend it to the internet.