• United States



Will iot folks learn from DDoS attack on Krebs’ Web site?

Sep 28, 20166 mins
Data and Information SecurityData BreachInternet Security

The first volley has been fired in the IoT wars.

iot security
Credit: Thinkstock

Brian Krebs did a simple thing. He reported on the take-down of a distributed denial of service (DDoS) for hire group, vDOS, and the arrest of two of its Israeli teenage operators. The ensuing cyber temper tantrum, which was forensically linked to one of the teenagers, resulted in the largest DDoS attack on record and affected hundreds of businesses and thousands of users. Let’s look at the implications beyond Krebs.

[ALSO ON CSO: The DDoS attack on Krebs]

On Sept. 20, Krebs was the victim of the largest Distributed Denial of Service (DDoS) attack in the history of the internet. Krebs’ pro-bono host, content delivery network (CDN) services provider Akamai, reported the amount of data fired against them in the attack reached 665Gbps. Until then the largest attack Akamai had experienced reached only half that rate, 363Gbps. Akamai successfully fought off the attack and Krebs’ site remained up but the loss of functionality for Akamai’s other business resulted in significant financial losses. Akamai ultimately decided to drop Krebs’ blog.

Why should you care? 

Well, let’s assume that the attack was against Krebs; not a far stretch because he blogs about cybersecurity and is not afraid to call out groups and individuals who are involved in stupid, pointless, or illegal interference with our daily online business and personal lives. In this case he called out the same people, vDOS, who were implicated in hundreds of pay-for-DDoS attacks. The vDOS vandals were associated with other cybercriminals including Lizard Squad. Lizard Squad was responsible for the 2014 Christmas outages at Sony and Microsoft. Remember the Christmas joy when you bought the kids that new PlayStation and they couldn’t connect? So the bad guys pointed the data cannon at Krebs and fired. Miss. But what about collateral damage?

[ALSO ON CSO: The great PlayStation outage of 2014 ]

Akamai hasn’t yet released the financial impact of the attack against their servers but it will likely be in the range of several million dollars. Akamai was collateral damage. So were Akamai’s customers who were denied functionality during the event. So were the customers of these businesses, who depended upon access to data, news, and basic communication. Whether by design or as an unintended consequence, a cascade of financial and reputational loss ensued.

Calculate the cost of a DDoS attack

How you might have been an unwitting accomplice

Analysis of traffic in the DDoS indicated a “garbage web attack,” flooding a system with GET, SYN, and other requests. This kind of attack (currently) can’t be spoofed like a DNS attack; each requesting device must utilize a generic routing encapsulation (GRE) packets. GREs are a protocol that establish a discrete device-to-device connection and are attributable. 

In this garbage web attack, an enormous botnet was created by compromising internet of things (IoT) devices. When I say “enormous,” I mean hundreds of thousands of compromised IoT devices. Currently there are two major Tactics, Techniques, and Procedures (TTPs) used to form these botnets. The first and most obvious, scanning for unprotected devices. The second, compromising the control servers of the devices themselves. Both TTPs are enabled by malware that appeared on the web in 2015 and now appears in myriad forms and names. Coding skills are not required – you can buy an app or hire a service to conduct an attack.

The IoT is ubiquitous and invisible – enabled devices range from automobiles to whiskey bottles and tennis rackets. As such, it’s possible that your smart TV, your doorbell camera, and your web-enabled refrigerator all were part of the cyber-gang that attacked Krebs’ site. The IoT, intended to enable convenience, safety, and remote operability, has evolved into the Internet of Irritating Things (IoIT). 

[ALSO ON CSO: IoT DDoS attacks]

Before you confront your thermostat and demand an apology, understand that the IoIT is itself a victim. The IT industry has faced some challenges incorporating security as part of the software development process but we all benefit. Hardening systems and networks via software has begun to throttle botnets in general. Let’s make this personal — in 2008, the Srizbi botnet created 60 percent of all spam worldwide, about 60 billion emails every day. Worldwide spam volume decreased by 75 percent when it was neutralized. It remains so in part by security in the development process as the internet grows and progresses.

Accepting and integrating security/software development was not done overnight; it remains an ongoing process and for some the learning curve is quite steep. Now the IoT folks, hopefully, are learning the same lessons. 

Is your computer one of the living dead?

Determining if your computer has been turned into a zombie and is mindlessly participating in a botnet can be done both digitally and physically:

Does your computer act “different?” Is it crashing and generating error messages for no apparent reason?

Does it take longer to start or shut down?

Does your fan kick in at high speed when you’re not using the computer?

Are you seeing high data rates on Task Manager while you are idle?

If you notice these indications, an anti-virus program can help. At the worst you’ll need to wipe your drive and re-install your operating system. You did regularly back up all your data, right?

[ALSO ON CSO: Is my computer a zombie?]


DDoS attacks can be initiated by an app, a program, or by hiring criminals to conduct a DDoS. DDoS attacks cost not only the target but also anyone associated with the target (cascading effect) and damage spreads geometrically. Consequences of an attack against almost any entity on the internet negatively affects us all in some way. 

Botnets enable DDoS attacks. Botnets can be created, rented, or purchased. Personal computers, giant corporate servers, and IoT devices as small as fitness trackers can be part of a botnet while owners and operators remain oblivious.

It is possible to determine by observation and data analysis if you are part of a botnet. It’s much easier to defend your system than to restore it.

John Bryk retired from the U.S. Air Force as a colonel after a 30-year career, last serving as a military diplomat in central and western Europe and later as a civilian with the Defense Intelligence Agency. Bryk holds, among other degrees, an MBA, an M.S. in Cybersecurity, and an M.A. in Business and Organizational Security Management, a combination that gives him a unique outlook on the physical and cyberthreat landscapes. As an intelligence analyst for the private-sector, he focuses on the protection of our nation's natural gas critical cyber and physical infrastructure.

The opinions expressed in this blog are those of John Bryk and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.