Botnet-driven DDoS Attacks Represent a Developing Cyberthreat

Security researchers recently discovered a new variant of the famous Hide and Seek (HNS) botnet, which infected nearly 90,000 unique devices from the time of its discovery at the start of the year. The botnet, the world’s first to communicate via a custom-built peer to peer protocol, has now also become the first IoT malware strain that, under certain conditions, can survive a device reboot and remain on infected devices after the initial compromise.

In addition, over a million home fiber routers were being targeted by botnet herders this month, due to two authentication bypass and command injection bugs that make them easy to hijack. Routers continue to be an attractive target as they act as a gateway to the entire network, giving cybercriminals the potential to harness multiple devices and recruit them into a botnet army.

These incidents not only show that hackers continue to expand their portfolio with more sophisticated and complex attacks, but also serves as a reminder to the dangers of unsecured Internet of Things (IoT) devices.

The Evolution of Botnets

Botnets have transformed the DDoS landscape. They enable malicious actors to significantly expand the size and reach of potential attacks and allow those attacks to be executed with precision and control, making it virtually impossible to trace back to the original attacker.

One of the biggest and most dangerous IoT-related cyberattacks in recent years was the Mirai botnet virus, which enslaved tens of thousands of poorly protected internet devices and turned them into bots used for launching DDoS attacks. Mirai changed the threat landscape forever, having spawned many derivates since, which continue to grow in size and are also becoming more complex in terms of the techniques they use.

For example, the Reaper, or IoTroop, malware also targets poorly-secured IoT devices to create its army of bots. Already known to have infected thousands of devices, the Reaper botnet is believed to be particularly dangerous due to its ability to utilize known flaws in the code of those insecure machines. Acting like a computer worm, it hacks into IoT devices and then hunts for new devices to spread itself further.

DDoS threats are already a serious concern for organizations, with a single attack costing enterprises up to $50,000 (£35,000). As the number of IoT devices grows, the threat is set to increase exponentially. Unsecured IoT devices have powered some of the biggest DDoS attacks on online platforms in the last few years and thus, organizations of all sizes need to ensure their devices, data and networks are safe.

Best Practices for Protecting Against Botnet-Driven DDoS Attacks

The continuing proliferation of unsecured smart devices means there will be no limit to the potential size and scale of future botnet-driven DDoS attacks.

To avoid smart devices being enslaved into DDoS botnets, organizations need to pay close attention to the network settings for those devices and, where possible, protect them from access to the Internet and to other devices. In addition, organizations can include IoT devices alongside regular IT asset inventories and adopt basic security measures like changing default credentials and rotating a selection of strong Wi-Fi network passwords regularly.

Finally, to stay one step ahead of the ever-evolving DDoS threats, organizations must maintain comprehensive visibility across their networks to spot and resolve any issues as they arise. To protect the volume of smart devices connected to their networks, organizations need to ensure they understand their security limitations, whilst monitoring them to identify unexpected changes.

When faced with the threat of vast IoT botnet armies launching attacks from across the internet, organizations also need to be prepared with the latest real-time automatic DDoS protection which delivers proactive detection and mitigation.

For more information, contact us.

Sean Newman is VP Product Management for Corero Network Security. Sean has worked in the security and networking industry for twenty years, with previous roles including network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.