Home / News / Internet News / Malware-infected IoT devices used in massive DDOS attack

Malware-infected IoT devices used in massive DDOS attack

by

hack

UPDATE 22/10: The large DDOS attack that took down numerous websites on Friday is belived to have been the result of hackers using IoT devices such as webcams to flood servers with requests.

The attack targeted DNS host Dyn, with outages varying by geography, beginning in the eastern US and spreading to Europe.

As The Guardian reports, the hackers "used hundreds of thousands of internet-connected devices" which had been infected with a malicious code.

By using these infected devices to flood Dyn's servers with requests, the hackers were able to orchestrate one of the largest DDOS attacks ever seen.

Security researchers working with Dyn have reportedly found some of the malicious traffic was coming from a network of web-enabled CCTV cameras.

These devices were made by Chinese company, XiongMai Technologies, and were networked together to form what's referred to as a 'botnet' to take down Dyn's servers.

Hackers reportedly used the malware program Mirai to turn the network of CCTV cameras at security firm Flashpoint against Dyn.

Level 3 communications warned in a blog post earlier this week about the potential for the kind of attack seen on Friday after Mirai's source code was leaked.

As the company explained: "Mirai targets IoT devices. The majority of these bots are DVRs (>80percent) with the rest being routers and other miscellaneous devices, such as IP cameras and Linux servers.

"With the recent and frequent introduction of new Mirai variants, we expect continued DDoS activity from Mirai botnets. The structure of these botnets is evolving as different owners adapt the malware."

Dyn said the attack was “resolved” just after 6pm New York time, but it remains unclear who is responsible for the botnet, and why the attack was carried out.

However, a tweet from Wikileaks seems to show that its supporters were to blame:

We'll keep you updated as more becomes available.

UPDATE 21/10: Outages continued throughout Friday evening, affecting many of the web's largest outlets, including the likes of Twitter, Reddit, Netflix, Spotify, Soundcloud, the New York Times and indeed, this very website.

Experts are suggesting the large-scale DDOS attack which took down the DNS host Dyn may have been facilitated through a vulnerability in Internet of Things devices.

According to the cyber-intelligence firm Flashpoint, a Mirai-based botnet has been used to go after IoT devices with weak login credentials.

Effectively, this has turned those gadgets against the web by using them to flood servers with requests.

At the time of writing, things appear to be back to normal (hence our ability to update this story). We'll keep you posted.

Original story continues below...

Dozens of websites, including Twitter, Spotify, and SoundCloud, went down today in what looks like the result of a large DDOS attack on a DNS host's servers.

Hackers are said to have launched the attack, which floods servers with thousands of requests to overload them and knock them offline, on DNS host Dyn this morning.

While it remains unclear whether the attack is to blame for outage, which reportedly affected Twitter, Etsy, SoundCloud, Spotify, Reddit, and numerous others, it seems highly likely the two are linked.

Domain Name Servers (DNS) handle requests from users to navigate to a particular webpage, ensuring you end up where you're supposed to be – making it impossible to visit a site if the DNS host is down.

Some, if not all of the sites affected are back online, or are coming back online for some users, but the problem still seems to be ongoing.

Dyn posted the following on its site: “Starting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure.

"Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.”

Hacker News reports the following websites as being hit by the outage:

- DYN

- Twitter

- Etsy

- Github

- soundcloud

- spotify

- heroku

- pagerduty

- shopify

- intercom (app, not landing page)

Dyn said the attack "is mainly impacting US East and is impacting Managed DNS customers in this region. Our Engineers are continuing to work on mitigating this issue."

We'll have more as the story develops, so stay tuned.

Watch The Refresh: The best tech gossip and reviews every week

Let us know if you've experienced any issues in the comments.

Bugblatter

October 21, 2016, 9:15 pm

"Domain Name Servers (DNS) handle requests
from users to navigate to a particular webpage, ensuring you end up
where you're supposed to be – making it impossible to visit a site if
the DNS host is down."

No they don't. The browser asks the DNS server for the IP address that matches the domain name (e.g. google.com) that you typed or clicked on. The DNS server tells the browser and the browser then goes to that IP address.

If a DNS host is down it's still possible to get to the site either using the IP address directly (if you know it) or using one of the other million DNS servers that hold exactly the same information as the borked one (unless these DNS lookups were set to a short TLD (cache lifetime). There's a helluva lotta redundancy in the DNS system.

Some sites don't work if you go to them via IP address but most do.

comments powered by Disqus