agsandrew - Fotolia

Mirai IoT botnet code release raises fears of surge in DDoS attacks

Organisations with an online presence should prepare for terabit-class IoT botnet-based DDoS attacks that could knock almost any business offline or disable chunks of the internet, warn security experts

Security experts fear that the release of the code for the Mirai botnet will prompt a surge in powerful distributed denial of service (DDoS) attacks that will knock almost any company offline.

The malware code released on an underground forum at the beginning of October enables attackers to hijack thousands of devices making up the internet of things (IoT), such as webcams, to carry out DDoS attacks.

The Mirai malware spreads by scanning the internet for IoT devices, including routers, protected only by default usernames and passwords to infect and hijack them to carry out DDoS attacks.

Security blogger Brian Krebs, who believes Mirai was used to hit his news site with a DDoS attack of 620 gigabits per second (Gbps) in size on 20 September 2016, said the release of the malware code virtually guarantees that the internet will soon be flooded with attacks from many new botnets.

A week later, French hosting firm OVH was hit by an attack that peaked at more than one terabit or 1,000 gigabits per second.

The OVH attack set a new record and is believed to have been enabled by using the combined bandwidth of a botnet of 150,000 IoT devices, according to The Hacker News.

The power of the Mirai botnet far exceeds earlier IoT botnets discovered in June 2016 to launch DDoS attacks in Brazil and the US of around 400 Gbps.

“We will almost certainly see a surge in DDoS activity due to the release of this source code, if not for specific reasons, then people just having a play with the code to see what it does,” said Mark James, security specialist at security software firm Eset.

“The biggest problem is that by their very nature IoT devices are designed to be connected and often remotely managed. One of the biggest failures encountered in the security of these devices is not changing the default passwords used from setup,” he said.

James recommends that any company or individual concerned about their hardware should immediately switch off the device, reset to factory settings and change the default password.

‘No limit’ to size of attacks

Stephanie Weagle, senior director at Corero Network Security, said the release of the Mirai code should be concerning for networking and security professionals worldwide, especially internet service providers (ISPs). 

“IoT devices are plug-and-play and the average user is incapable or uninterested in security and may never apply an upgrade or security patch to the device. So if an IoT device ships with an exploitable vulnerability, it will likely remain vulnerable throughout its lifecycle,” she said.

This problem is exacerbated by the fact that the majority of users will never change default usernames and passwords, said Weagle. “The bad guys know this and gain access to these devices in droves using well understood default credentials,” she said.

Read more about DDoS attacks

Weagle warned there is really no limit to the potential size and scale of future botnet-driven DDoS attacks, particularly when they harness the full range of smart devices incorporated into the internet of things.

“Terabit-class attacks may be increasingly common and ‘breaking the internet’ – or at least clogging it in certain regions – could soon become a reality. The bottom line is that attacks of this size can take virtually any company offline – a reality that anyone with an online presence must be prepared to defend against,” she said.

Art Swift, president of the prpl Foundation, a not-for-profit organisation that aims to create a safer and more secure connected world, said although “unfortunate” the release of the Mirai code may hasten popular understanding of the insecurity of their personal devices as IoT-based DDoS attacks proliferate. 

“Our Smart Home Security report shows that consumers are willing to take on more security responsibility – if only they knew how. Nobody likes being a pawn in someone else’s game, so I hope this will be an opportunity for the industry and consumers to take action,” he said.

Read more on Hackers and cybercrime prevention