Does IoT Botnets provide more
cost-effective option for attackers which provide DDoS attack as services?
In the ever-changing world, the change is the
only constant. The cybercriminals are the best example who truly justify this
phrase by continuously finding new techniques and exploiting the
vulnerabilities of the system. The use of IoT botnets in the latest DDoS
attacks is one of the prime examples, how
the attackers updates their methods and techniques to accomplish their task. The
number of IoT devices has exploded in recent years, and are very much favored
by the attackers for creation of the botnet army. The vulnerabilities in the
IoT devices makes them very favorable but for a profitable business, they
should also be a very cost-effective solution. In this research paper we have
tried to find out if this is true or not.
In the history of
the cyber-attacks, the DDoS have been the most pertinacious and detrimental
since their inception. The first DDoS attack that occurred in a 1974 was due to
the courtesy of a 13-year student named David Dennis at University High School,
who was curious to see, how would it look like to log off all the users at once
present in a room 1. The curiosity led to the development of the
first DDoS attack but further down the road the motivation for forming the
attacks on the targets have changed. With the introduction of the IRC channels,
the fight for gaining the super user privileges lead to the attacks. The
motivations for the attacks have changed from curiosity to monetary and from
personal to political gains. The latest reports from Akamai states that there
is an increase in 28% of DDoS attacks from the Q2 2017 as compared to the Q1
and we may observe a more growing trend in the attacks for the future. The form
of hackers has also changed over the period, going from the geeks or nerds to
businessman, by turning the DDoS attacks into a service, which can be hired by
anyone. With DDoS as a service, an attacker doesn’t need to have a technical
knowledge or background about the computers to orchestrate the attacks. This
opens many probabilities about how a DDoS attack can be used, a person may
leverage it for gaining personal or business profits against a competitor. A
political party may hire for influencing the campaigns of the other candidates
successful company “A” with its cash cow product wanted to launch a new scheme
which can boost its online sells to new heights. The company decides the
thanksgiving week for the launch and is trying everything to make it
successful, so that the customers have wonderful seamless experience. On the
other hand, the business competitor “B”, also planned a similar campaign for
their product, and wants to maximize its profit as well. They can’t directly
compete on the scale that their competitor “A” has planned, so they try to
affect their online sales for their benefits. They hire a DDoS attack services
at a cheaper cost for a week, which impacted the sales of the company “A” as
they can’t cater the request for their customer. This helped the company “B” as
the frustrated customers from the company A website turned to theirs. Without any computer and technical knowledge,
the company B was able to execute the attack and take advantage of the timings
of the sale. This DDoS attack not only cost the company A their targeted sales
goal but also placed a bad mark on the company’s reputation as well. The
company also had to bear the loss due to the un-productivity, downtime and
mitigation costs. The company B, on the other hand enjoyed the service of the
DDoS attack at a very low price with complete anonymity and guarantee. This
helped them to boost their sales and profits and generated more sales revenue.
scenario is not a hypothetical anymore and is happening on a more day to day
basis. There was 10% increase in the DDoS attack in the year 2017 as compared
to 2016 3.
The report mentioned about the loss in revenues to be estimated over $2.5
million on an average across the organizations. The DDoS attacks has not only
turned out to be a profitable business but also a weapon which can be exerted
by anyone with a motive to employ it. The report from the Corero, suggests that
the monthly attack attempts have increased by 91% as compared to the Q1 2017 4. The business model
transformation of the DDoS attacks as a service, with cheaper cost and multiple
options provides genuine reason for observing the high frequency of the
attacks. With the increasing number of
the IoT devices, the reports have also suggested in the increase of the number
of DDoS attacks and the frequency. From the below figure the percentage of the multiple
DDoS attack on the same company has increased to 73% in 2017 as compared to the
60% in the year 2016.
We have been
discussing about the DDoS attacks in the previous section, here we look more
into details about them and how it functions. The distributed denial of service
attacks or DDoS is an attack in which many compromised computer systems attacks
a targeted system. The target system can comprise of a website, a server or a
network resource. The compromised system for a DDoS attacks are labeled as
zombies or bots, which are under control of the attackers and gets activated
only when the attacker needs them too. The bots or the zombies attacks the
target with forge request which overwhelms the target system. The target system
cannot service all the request, or it services the request which are bogus
usually generated by the bots. In this scenario, the genuine request from the customers
are not service who faces service disruptions.
exploit the vulnerabilities in one of the system and makes it a DDoS master.
Once, the master is formed, it continuously tries to look out for the such
other vulnerable systems. When it encounters such system, it converts the new
system into it slave by infecting the system by planting a malware or gaining
the control of the system through different means of authentication controls
(i.e. default password etc.). The same process is repetitive, and a network of
devices is formed which are under the control of the intruder. The compromised
systems are called as bots and the network of such devices are called as
botnets. The complex DDoS attacks can also have multiple layers and
hierarchies, in such a scenario, there can be multiple masters which in turns
can control a specific set of bots as mentioned in figure 2. The botnets
overload the target with the bogus requests so that the request from the
genuine users are not served. This either leads to prolonged delays in
processing of the request or crashing of the server, which in both cases causes
loss to the business and create bad reputation as well.
Best Practices for DDoS Resiliency
DDoS as Service:
The DDoS attack as
a service are now being offered on the darknet or Clearnet where anyone who has
a motive for performing the DDoS attack can hire a botnet instead of creating
one from the scraps and can execute the attack using it. The user doesn’t need
to have a technical background or expertise in this field. The service
providers have different plans and service offering for their products due to
the competition. Some of the price listing for the services offered by the
hackers on the darknet can be seen in the Figure 3 5.
The hackers have
matured in art of selling or they may have hired services from others for
marketing. They provide guarantee and testing of the services too, and an
option for payment of the services post usage and satisfaction of the customer.
To overcome the competition service providers have used different techniques
such as kinky taglines on their websites stating, “quick solutions to all your problems with the competitors and enemies”
As DDoS attack as
service is growing, the providers have come up with the different service
options among them, the 24/7 customer support is one the component of the
service industry is now being introduced 6. The figure 4,
provides a statistic from the DDoS attack service provider, which has added the
statistics about his product, which the customers may found interesting.
SecureWorks report we can observe the trend in the increase of the prices for
DDoS attacks as compared to the year 2013 and 2014 from the below image. The
prices mentioned below are before the attack of the Mirai botnet. During this time
the DDoS mitigation services provided by the different company seems to have this
effect. It may also be possible that the attackers are planning something new
and big during this time related to the DDoS attacks. Post Mirai attack this
trend seems to slide down for the DDoS with the introduction of the IoT
devices. The IoT device may provide cheap options for the service providers to
create, maintain and rent the botnets for a profitable margin.
Internet of Things:
IoT stands for Internet of Things, which is
used to describe the new genesis of devices which are inter-connected using
local or internet connection. These devices may be smartphone, CCTV, fridge,
coffee maker, lawn mowers etc. The Internet of Things (IoT) have become reality
in a sort span of time and the numbers of the devices have increased at a very
rapid pace. By the year 2020, in IoT ecosystem there will be 24 billion and
approximately $6 trillion amount would be spent on the IoT solutions in the
next 5 years 7.
The IoT’s boom has been due to rapid acceptance by the market due to their
usability and the size. The report from HIS forecasted more 6 billion more
devices to be connected in 2020 8.
The average cost of the sensors, which are
major components of the IoT devices have been falling. This is one of the main
reason as well, where the business has become more profitable in manufacturing
of such devices. From, the below figure 6, we can see the average cost of the
sensor in 2016 was $0.50 as compared to $1.30 in 2004 9. The reduction in
the cost and size of the sensors have contributed a lot towards this explosion.
The IoT devices provides a very cost-effective solution for remote monitoring,
automation and data gathering units for analytics purpose. The
interconnectivity devices make their own network and inter communication among
them helps in creating better lives for the humans.
The IoT devices in the smart home has taken a
great leap in making life easier for human beings, getting a cup of coffee
ready while you woke and brush your teeth without pushing a button on the
coffee maker or even before getting out of the bed, or setting the right
temperature of the thermostat of the home while leaving form the office, so
that the house is warm and cozy once you enter have made them favorable among
the customers. The new generation of the IoT devices for the gardening tools
helps in removing the weeds, cutting the grass, watering the plants or adding
the fertilizers while you are away on vacation or sipping coffee. The
application of IoT not only in smart homes but offices has also helped in
making cost-effective decisions for allocation resources where they are needed
The IoT’s have shown an immense potential,
about how they can be used to change the human life for betterment. The IoT’s
are at the same stage where once the personal computers were. Hence, in this
scenario too, the security and privacy components for the data and the devices
have not been considered. The vulnerabilities in the system and threats
originating from them are not being considered to it’s potential due to the
race of launching the products and to come up with the new innovative
solutions. The inter-connectivity between the devices forms the backbone, but
if security is not considered in the design process, it generates an elevated
risk. For example, a smart thermostat and home security system can be interconnected,
and one can lead to a significant vulnerability in the system. The smart
thermostat can read the temperature of the home and can ask the security system
to open the windows if temperature rises above a certain threshold. In this
scenario, if the thermostat gets hacked or misused by a person to elevate the
temperature. Once, the temperature rises over the threshold, then it would
trigger the security system to open the windows, hence leading to a physical
The IoT device are no different than a
traditional server or personal computer in terms of hacking. These devices can
also be hacked and can be misused to personal or professional advantages. The
automated garden system, the DVR’s, smart TV’s fridge all these devices which
are connected to the internet carries a risk of being compromised. The methods
for hacking such devices may differ but the potential risks remain the same. The
IoT devices can also be hacked and used in the same way for causing the DDoS attacks
as traditional personal computers or serves, and these devices are referred as
IoT botnets. As the number of IoT devices is increasing, so as the number of
IoT botnets. The structure of attacking the IoT devices is explained in detail
in the later section about how the Mirai IoT botnets were created and launched
a record breaking 620 Gbps of attack on Dyn and Krebs website 10 11.
Components of the botnet:
The botnet mostly consists of the bots, which
are the infected system. But to create the bots and to control them, so that they
can be used for DDoS attacks when needed require some more components. These
components are required for creation and maintenance of the bots or botnet. A hierarchical
structure is formed which has the botmaster as the top authority. The botmaster
can decide to use the botnet for himself based on his motivation or can avail his
botnet to others as DDoS service. The botnet components can be described as
1. Botmaster, is the person who either creates or
rent out the botnets. It uses the command and control server for maintaining
2. Malware, a program which is developed or used by
the botmaster for infecting the device.
3. The systems which are vulnerable are exploited
by the malware, and are under the control of the botmaster.
4. Command and Control servers, which are used to
control the bots. It sends and receives the information from the bots.
The botnets have evolved over the period, and
more components have been added along the way for maintenance and control of
the bots. The new botnet anatomies that have been found included the scanner
and reporting servers in the structure as well.
Evolution of IoT Malware:
The IoT malware have existed for a long time,
but their real power was revealed by the Mirai. As per the report from Kaspersky
(figure 7), the earliest malware for IoT was detected in 2008, named as Hydra
and has evolved into a more devastating malware known as Mirai in 2016 12. Below is the list
of the malware small description of the each.
Hydra: It is one of the earliest known malware used
for targeting the IoT devices, mainly routers 13.
It was also developed to gain access to the home routers and modems, and was
believed to have Australian origin. It was loaded with common usernames and
password that were used to gain the access of the device 14.
Tsunami: This malware was not only designed to attack
the Linux based devices but also the mac os as well 15.
Lizkebab/BASHLITE/Torlus/Gafgy: The malwares belong to the same family and targeted
the IP cameras, DVR’s and Smart TV’s 16.
Linux.PNScan: This is also a Linux based malware, which had
a capability of peer to peer connectivity 17.
is the malware, which brought down the internet on it’s knees. After the release
of the Mirai code on the internet, the malware has evolved a lot and many new
variants of the Mirai can be found on the darknet. One of the variants of Mirai
improved it with an advanced algorithm and removing most of the hard-coded code
from it 18.
Mirai and Baidu DDoS attack.
To know more about how the DDoS attack works
we will study the two recent attacks Mirai which was done using the IoT botnets
and the other Baidu which highjacked a server and caused the attack 19 20. The Mirai botnet was used to perform a DDoS
attack against the DNS service provider Dyn which not only affected the Dyn but
also the other biggest internet websites such as Twitter, Spotify etc. The
Mirai was also used against the Krebs website as well, which was hold to a
ransom for stopping the attack before Google’s Project Shield intervened to
help the blogger. The Mirai was also used in the attack on a French hosting
company OVH as well. The bots used in the Mirai were Internet cameras, routers,
DVR’s and any other smart device which was connected to the internet 21.
On the other hand, Baidu a Chinese web search
performing a massive attack which crippled the GitHub. The hackers got the
control over the website and injected the malicious code, which redirected the
users to the GitHub page. In this scenario, millions of innocent users using the
search engine unknowingly became the soldiers for causing a massive DDoS attack
The Mirai is one of the most devastating malware
developed which is capable of self-replication. Mirai means “the
future” in Japanese, and has a capability of the infecting around 4000 IoT
devices per hour. At the time of the attack it consisted of around 150,000 IoT
devices as botnets. For creation of the bot, it searches for the vulnerable device
and uses the dictionary attack to gain the access. Once, the infected device is
in control of the bot master then it waits for the commands for initiating the
attacks. It’s working is as typical malware used for creating the botnets.
in Mirai, there exists no separate scanner
component, however the bots perform the function of scanning for vulnerable IoT
devices and carry out DDoS attacks on target. In a general scenario, C2s
communicate regularly with bots, foot soldiers in botnet. Most botnets implement
a standard client/server architecture where the bots get their commands from
the C2s or controllers. The botnet malware spread to new IoT devices by
continuously scanning the internet for vulnerable IoT devices, either from the
bots or from an external scanner (in some cases, C2s performs the scan
directly). Potential victim’s devices can be found using special search engines
such as Shodan (www.shodan.io) and Censys
(www.censys.io). Reporting server receives oneway traffic with information
about the IP addresses and credentials of the vulnerable IoT devices from
scanners (as in BASHLITE) or from the bots (as in Mirai malware).