Large websites attacked by massive DDoS from Internet-enabled devices (IoT devices)

At the last weekend (21 Oct) many large websites such as Twitter, PayPal, Amazon etc. could not be accessed due to their DNS provider Dyn being attacked. From the study of security firm Flashpoint, a vast amount of vulnerable Internet-enabled, or ‘Internet of Things’ (IoT), devices such as router, IP camera, digital video recorders were compromised to become part of ‘Mirai’ botnet, which were controlled by attackers to launch the attack.

From our monitoring and information sources, in Hong Kong, the important Internet facilities (e.g. .hk DNS, HKIX etc.) and ISP, and hence our Internet access were not affected by the attack.

Regions affected by the attack (source: http://thehackernews.com/2016/10/dyn-dns-ddos.html)

Insecure IoT devices now a ‘handy tool’ for attacker

The attack was carried out first by compromising vulnerable IoT devices such as router and IP cameras with Mirai malware, and then form a botnet to launch the attack. These devices are vulnerable because many of them are not patched, and equipped only with weak credentials, i.e. many of these devices use well known default username and password. So it becomes handy for an attacker to control these devices.

In no more than 1 month, we already saw three instances of such large scale DDoS attacks. The earlier attacks on KrebsOnSecurity.com and OVH in September already reached the record high 620 Gbps and 1 Tbps bandwidth. These insecure and vulnerable IoT devices become a serious threat to the Internet availability.

Securing IoT devices essential to protecting Internet facilities in Hong Kong

Though Hong Kong was not affected in this attack, such means of attack can still be applied by someone who would like to attack any website or service provider in Hong Kong. Since those IoT devices can also be found in Hong Kong, securing them is essential to protect the Internet facilities and access of Hong Kong.

Being IoT device owner, you should secure your IoT devices immediately to prevent being abused to take part in any attack activity. Here are the suggestions on securing IoT devices:

1. Change the default password of the devices to a strong password.
2. Researchers have revealed that the attackers compromised the devices through its Telnet service (TCP port 23) to infect them with Mirai malware. Close the said service and related port if you do not need it. You can check whether the said service is open by the following webpage:
   http://www.yougetsignal.com/tools/open-ports/
3. If there is no need for your device to connect to the Internet directly, place it inside protected internal network, and only open the necessary services and ports.
4. If you suspect that your device is infected, unplug it from the network immediately, and shut down the device for a while. After switching it on, change the default password, and close the Telnet service and port mentioned above to prevent infection again.

References

• Mirai Botnet Linked to Dyn DNS DDoS Attacks (Flashpoint)
• Dyn Statement on 10/21/2016 DDoS Attack (Dyn)
• Hacked Cameras, DVRs Powered Today’s Massive Internet Outage (Krebs on Security)
• Heightened DDoS Threat Posed by Mirai and Other Botnets (US-CERT)
• Who Makes the IoT Things Under Attack? (Krebs on Security)
• Mirai: The IoT Bot That Took Down Krebs and Launched a Tbps DDoS Attack on OVH (F5)