DDoS attack by massive IoT botnet takes down Krebs on Security

The internet of things is turning into an intensely debated technology because of the proven security risks. The weak passwords on devices and accounts make it easy for hackers to install malware on any appliance, which is then used to launch DDoS attacks. As the number of DDoS attacks is on the rise, no user is exempt, not even security writer Brian Krebs, as hackers showed last week.

Cyber security blog Krebs on Security, owned by best-selling author Brian Krebs, was taken down last Tuesday following a major distributed denial-of-service (DDoS) attack. Around 620 Gigabits of traffic per second were launched by a botnet allegedly made up of 1 million compromised IoT devices with bad passwords such as routers, cameras, lightbulbs and thermostats.

Source: Twitter/@briankrebs

The attack was so aggressive that the Akamai platform could not handle the resources needed to fight it, especially since they were hosting Krebs’ account for free. After resisting the attack for three days, the company had to cancel it. Had the cloud services provider continued to fight, “millions of dollars in cybersecurity services” would have been spent.

In spite of being “among the biggest assaults the Internet has ever witnessed,” it failed, wrote Krebs on his site.

“It’s not junk traffic,” Andy Ellis, Akamai’s chief security officer, told NetworkWorld, pointing out the attack consisted of genuine http requests.

“Many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods,” noted Krebs.

Akamai Technologies is investigating to release an accurate estimate of the number of IoT devices involved in the attack and to come up with a proper security strategy for the future.

“The lesson for enterprises is that the DDoS protections they have in place need to be tweaked to handle higher attack volumes,” Ellis added.

The blog is again online after Google offered its services through the Project Shield program, a free service which could better handle such attacks in the future.

Leave a Reply