Record-setting distributed denial of service (DDoS) attacks based on the Mirai Internet of Things (IoT) botnet technique have pushed the challenge facing the cybersecurity industry to a completely new level, a security specialist has warned in the wake of a research report flagging a year-on-year explosion in detected DDoS attacks.
Akamai’s latest State of the Internet (SOTI) Security Report, which covers the third calendar quarter of this year, found that the two largest DDoS attacks of the quarter – which weighed in at 623Gbps and 555Gbps respectively – both leveraged the Mirai botnet technique that was released to the world in recent months. Security experts had already warned that Mirai would drive a surge in the DDoS threat, and Akamai’s retrospective study confirms DDoS perpetrators are wasting no time in exploring its possibilities.
While Akamai mitigated 8 percent fewer DDoS attacks than in the previous quarter, overall DDoS attack volumes were up by 71 percent during the last quarter compared with the same time period in 2015. Some 19 mega attacks were detected peaking at more than 100Gbps – compared with just 8 such attacks a year earlier – with an average of 30 DDoS attacks detected per target during the quarter.
A year ago, the largest DDoS attack detected involved 149Gbps of traffic – but this had grown rapidly over the past year, to 363Gbps in Q2 this year and nearly doubling again in Q3. That growth had turned the Mirai in to the promulgator of a ‘harbinger attack’, said the report’s senior editor Martin McKeay, that was “radically different” to previous attacks and changed the rules for security researchers.
Mirai, which by some counts has already infected over 493,000 IoT devices, had “made concrete the industry’s fear that IoT and other Internet connected devices could be used for both web application and DDoS attacks,” McKeay said in a statement, “illustrating the need for device manufacturers to place a greater emphasis on security.”
Hackers unleashed 427 DDoS attacks on the unnamed worst-hit organisation during the quarter, with 30 percent of such attacks originating from China, 22 percent from the US, and 16 percent from the UK.
Interestingly, the figures were much different in terms of web application attacks – for which US sources were responsible for 20 percent, while Chinese sources were only fingered in 5 percent of attacks and UK sources didn’t rate. This disparity suggests that DDoS attacks have become the favoured vector of hackers in a few countries, while those favouring web application attacks were far more widely distributed.
Australia didn’t register as a source of either type of attack, although it was targeted in 3 percent of web application attacks during the quarter – just a fraction of the 66 percent of attacks targeting US interest and account for fewer attacks than Brazil (5 percent) and Germany (5 percent).
Akamai’s warning on IoT threats is the latest in an escalating warning cry from an industry that has been taken by surprise by the rapidity and ferocity of cybercriminals’ exploitation of IoT botnets for malicious purposes.
Concerns over the trend were evident in ISACA’s recent 2016 IT Risk/Reward Barometer, in which the organisation surveyed 216 Asia-Pacific members and found that fully 44 percent believed there was a high likelihood of an organisation being breached through an IoT device. An additional 37 percent believed there was a medium likelihood, and just 11 percent said the chances of such a breach were low.
Despite these concerns, fully 44 percent of respondents said their IT department wasn’t even aware of all of the connected devices in the business. Some 84 percent said vulnerabilities in the devices were a security concern, while 80 percent were concerned about data leakage through IoT devices and 84 percent worried about access control.
Only 4 percent of respondents to the ISACA survey said that IoT does not pose any significant security concerns.
Some 72 percent said IoT device manufacturers were not implementing sufficient security measures in their equipment – echoing escalating concerns about the security of devices like networked security cameras, door locks and wheelchairs, wearable devices, medical devices, and more.
Despite the concerns, US lawmakers were sceptical during recent hearings in which security expert Bruce Schneier testified that the government needed to impose IoT security standards to reduce the threat posed by the devices.
“The market really can’t fix this, Schneier said. “Buyer and seller don’t care.”