Salted Hash Ep 11: Dyn Inc. DDoS anniversary, and the truth about the Reaper botnet

This week we sit down with Josh Shaul, the vice president of web security at Akamai Technologies, to talk about the Dyn Inc. DDoS attack one year later and the Reaper botnet

For this week's episode of Salted Hash, we're joined by Josh Shaul, the vice president of web security at Akamai. He shares his story about his experiences during the Dyn Inc. DDoS attacks, and offers some details about the Reaper botnet.

On October 21, 2016, the internet melted.

Okay, it wasn't that bad, but anyone watching social media (when it was working) or the news that day certainly would've thought so. Earlier that morning, some of the largest properties online went offline, including Amazon, Twitter, GitHub, Spotify, Reddit, the New York Times, Netflix, ISPs in the northeastern part of the U.S., Sony's PlayStation Network, and more.

It wasn't until later that the public learned the source of the outage – a DDoS attack against Dyn Inc., an infrastructure provider that offers managed DNS services. The attack impacted data centers on the east coast, as well as data centers in Texas, Washington, and California.

Eventually, it emerged that the actors behind the attacks were using source code linked to Mirai, the botnet that consists of hijacked IoT devices. A separate botnet using Mirai code was responsible for a DDoS against OVH earlier that month, as well as an attack against journalist Brian Krebs.

Around the time this episode was being filmed, another IoT botnet was gaining attention, but it wasn't attacking anything, it was just sitting there. The fact that it wasn't doing anything raised red flags, because according to initial reports, there were millions of devices attached to the botnet researchers had named Reaper.

On October 27, F5 told Salted Hash in an email that Reaper could be 3.5 million devices strong, and growing by 85,000 devices daily.

These figures were larger than those originally reported by  Netlab 360, adding fuel to the concern fire that was burning in the minds of administrators the world over. What would this thing do?

As it turns out, nothing.

Again, Reaper didn't have attack code, it just exploited vulnerable devices to spread. But the actual botnet size was way over estimated. We asked Josh Shaul for his thoughts about Reaper, which you see in the video.

F5 later updated their reporting to note that the 3.5 million devices exploited by Reaper actually included 2.75 million unexploited devices. The actual size then, would be 750,000 devices exploited by Reaper, but even that count is larger than those observed by Akamai.

Mirai was the catalyst for a massive industry push to secure IoT devices, and sell security services geared towards defending assets against IoT threats. Reaper started another wave of IoT pushing.

Yet, one year after Mirai, nothing has changed really. IoT devices, from IP cameras, to routers, toys, and other consumer electronics are still vulnerable. They can be discovered on services like Shodan easily, sitting there with default credentials or other insecure settings.

And the reason why these devices are so vulnerable is business.

If securing IoT devices causes users to have problems actually using the product, then security is going to be cast aside.

IoT devices like cameras and toys, or routers in the case of Reaper, are supposed to be easy to use – from configuration to function – so security can't hinder that. If it does, consumers will stop using it or worse (according to some marketing / business types), buy from a competitor.

The good news is, as mentioned in the video, Reaper started to taper off because vendors were patching the exploited devices hijacked by the botnet.

However, basic IoT related risks are still here, and unless there is a big push for security, they're not going away.

NEW! Download the Fall 2018 issue of Security Smart