If you thought the DDoS (Distributed Denial of Service) hype had faded, think again. A record busting attack of 1Tbps has been measured this week originating from a botnet comprised primarily of IoT (Internet of Things) devices.
The unenviable target was French hosting company OVS whom over a sustained attack period of a week, measured a volumetric peak of 1Tbps. Roughly the equivalent to receiving 10 high definition quality movies per second, the event earned its orchestrators the accolade of the largest recorded DDoS attack to date.
DDoS and particularly the volumetric variant is hardly ground-breaking, with much being written about on the subject in the past four years. Resultant increases in the security of laptops, PCs, tablets and smart phones had hampered the ability for cyber-criminals to build substantial botnets using these vectors. However, what has raised eyebrows in this particular case was that the majority of the attack was delivered using a botnet comprised of a different type of device.
IoT devices, a new generation of internet enabled white goods, CCTV cameras, smart TVs and heating thermostats etc. which had been compromised so that they led double lives. OVS estimated that at the peak of the attack, over 152,000 seemingly innocent IoT devices were simultaneously taking part.
This new breed of cool consumer technology is something which both excites and troubles the IT security industry. There are clear benefits to the its application in both the home and the workplace, plus everyone loves a good gadget. But there is a worrying cavalier attitude that many device manufacturers take to security.
Basic flaws, which in the traditional IT world were resolved years ago, are creeping back in as device manufacturers are more focused on providing features which they can advertise on the box rather than they are at ensuring those features are not comprisable. Even in cases where vulnerabilities are discovered and patches released, who thinks to check their refrigerator website for updates?
We hold up the fathers of the internet as heroes whom without their visionary foresight our world would look very different world today. However, the internet was created with little consideration for security, something we in the IT security industry have battled with for decades. The rapid rise of IoT presents a real risk in that consumerism has started to wind back some of the progress we have made.
So what can be done when the horse has bolted from the stable? Its futile to chase it, but we can draw a line in the sand and focus on new devices by measuring them against a standardised accreditation, ensuring a basic level of security. A familiar scenario to network administrators, developers and security auditors. Give consumers and users the choice of purchasing a safer device and shame non-compliant manufacturers into raising their game as a result.
Nudge nudge ISO (International Organization for Standardization).