Sentencing of Satori Botnet Creator Won’t Reduce DDoS Attacks
Some people may feel better after the news broke that Kenneth Currin Schuchman, the co-creator of the Satori botnet, was sentenced to jail last month, but there is frankly little comfort in knowing that just one cybercriminal has been found and punished. Even though he built one of the most powerful and dangerous botnets, there are many bad actors just like him worldwide who are equally capable of creating, or evolving such potent botnets. Furthermore, this particular criminal may very well continue on his malicious path soon enough; he is only 22 years old, and his sentence is a mere 13 months, followed by 18 months of community confinement. Will the punishment deter him from continuing that life of crime? We can hope so, but not get our hopes up too high; after he was arrested in 2018, he broke the terms of his pre-release arrangement only two months later, by developing a new variant of the botnet.
After the Mirai botnet code was released in 2016, launching the era of IoT DDoS attacks that have since been able to exceed the terabits per second volume threshold, threat actors such as Schuchman seized upon the code and evolved several more sophisticated variants of it, including the Satori botnet. Research indicates that the Satori malware code, released on PasteBin in December 2017, was used to attack hundreds of thousands of Huawei routers and over 280,000 different IP addresses worldwide.
Here’s a little background (or refresher, for those of you who recall the story): the criminal who created the Mirai botnet, Paras Jha of New Jersey, was sentenced to six months confinement at his mother’s house, and $9M in fines, in October of 2019. Will Jha ever pay the $9M in fines? And, even if he did, will the companies that were victims of his DDoS attacks ever receive reparations? Both outcomes are unlikely. Hats off and thanks to the state and federal law enforcers who diligently tracked down the threat actors; their intentions are noble and the cases are not simple to crack. However, this latest case just goes to show that prosecutors are having little success in imposing meaningful punishment on such DDoS criminals.
Jha’s arrest did not impact the botnet-based DDoS for hire economy, and neither will Schuchman’s arrest. On the contrary, botnets have increased in size and variety, because there are many more unsecured IoT devices around the world, available to be hijacked. And, there are plenty of malicious coders on the Dark Web willing to exploit them. In turn, DDoS attacks have continued to become more frequent and sophisticated, with the vast majority of them completing their mission without needing to saturate links; indeed, over 99% of DDoS attacks do not reach 95% link saturation levels.
However, when hackers do want to launch large attacks, it feels they can do so with impunity, even on a scale not seen previously. The most recent record-breaking bandwidth attack was 2.3 Terabits per second (Tbps), against Amazon Web Services in February 2020; and that was followed by another record-setting 809 million packets per second (Mpps) attack on a European bank in June 2020. We may be at the beginning of a trend where high-visibility organizations are being targeted with large-scale DDoS attacks.
The lesson for cybersecurity professionals is, whether on the vendor or customer side of the equation, you cannot rest easy, even after a couple of high-profile, high-impact bad actors are caught and prosecuted. Organizations of all types and sizes must remain vigilant and ensure their networks and services are protected by automated, always-on DDoS protection that can handle volumetric attacks, with a playbook to cope with the potential impact of the very largest DDoS attacks.
For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here. If you’d like to learn more, please contact us.
Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.