Industry News Smart Home

DDoS attack by massive IoT botnet takes down Krebs on Security

The internet of things is turning into an intensely debated technology because of the proven security risks. The weak passwords on devices and accounts make it easy for hackers to install malware on any appliance, which is then used to launch DDoS attacks. As the number of DDoS attacks is on the rise, no user is exempt, not even security writer Brian Krebs, as hackers showed last week.

Cyber security blog Krebs on Security, owned by best-selling author Brian Krebs, was taken down last Tuesday following a major distributed denial-of-service (DDoS) attack. Around 620 Gigabits of traffic per second were launched by a botnet allegedly made up of 1 million compromised IoT devices with bad passwords such as routers, cameras, lightbulbs and thermostats.

Source: Twitter
Source: Twitter/@briankrebs

The attack was so aggressive that the Akamai platform could not handle the resources needed to fight it, especially since they were hosting Krebs’ account for free. After resisting the attack for three days, the company had to cancel it. Had the cloud services provider continued to fight, “millions of dollars in cybersecurity services” would have been spent.

In spite of being “among the biggest assaults the Internet has ever witnessed,” it failed, wrote Krebs on his site.

“It’s not junk traffic,” Andy Ellis, Akamai’s chief security officer, told NetworkWorld, pointing out the attack consisted of genuine http requests.

“Many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods,” noted Krebs.

Akamai Technologies is investigating to release an accurate estimate of the number of IoT devices involved in the attack and to come up with a proper security strategy for the future.

“The lesson for enterprises is that the DDoS protections they have in place need to be tweaked to handle higher attack volumes,” Ellis added.

The blog is again online after Google offered its services through the Project Shield program, a free service which could better handle such attacks in the future.

About the author

Luana PASCU

From a young age, Luana knew she wanted to become a writer. After having addressed topics such as NFC, startups, and tech innovation, she has now shifted focus to internet security, with a keen interest in smart homes and IoT threats. Luana is a supporter of women in tech and has a passion for entrepreneurship, technology, and startup culture.

2 Comments

Click here to post a comment

  • This Internet of Things is somewhat a new technology. It needs to have high security as it can be dangerous if security is not maintained. This article was really great as it was different from others. Good luck and keep sharing more with us.

  • As per one of the recent research millions of Internet-connected (IoT) devices are used as the source for web based credential stuffing campaigns. By digging little deeper, it also showed the evidence that these IoT devices were being used as proxies to route malicious traffic due to some default configuration weaknesses in their operating systems.

    These weaponized IoT DDoS-based attacks have become more common, as many IoT devices share common operating systems, which can carry known, unpatched or easily discoverable software flaws. The down side is that these IoT devices does not have enough capacity to provide robust security and more to add it collects more than needed data and also lacks in proper encryption. So, once a hacker has access to an IoT device, they can use bots to search the web for other similar models.